[8757] in bugtraq
Re: Irix logs + su
daemon@ATHENA.MIT.EDU (pmws@GMX.NET)
Mon Dec 21 17:35:14 1998
Date: Mon, 21 Dec 1998 12:26:27 +0100
Reply-To: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: pmws@GMX.NET
To: BUGTRAQ@NETSPACE.ORG
Subject: Re: Irix tape devices + logs + su
hi,
i hope this is no grey bearded stuff ;)
On Dec 18, 6:05pm, Valdis.Kletnieks@VT.EDU wrote:
> Subject: Re: Irix tape devices + logs + su
> > Also, /var/adm/SYSLOG contains the failed login names (even if they
> > don't exist) and by default, this file is forced to be mode 644
(root's
> > crontab will take care for this, when rotating the logs).
>
> This can be an issue.
>
there is a much more funny 'feature': if you add an user via
addUserAccount this action is logged in SYSLOG including the (crypted) password (seen on
a origin 2000). to me, this makes /etc/shadow rather useless. on my machines
i cannot reproduce this behavior. is there anybody who has seen this
before??
> > Finaly, when using su, the user's .cshrc will be executed with
> > privileges of the target user (if the su is succesful). For example,
> > if user nobody has a cp /bin/sh /tmp; chmod 6755 /tmp/sh in his .cshrc
> > and he use su to become root, a rootshell will be available in /tmp :)
> > This is valid only for succesfull su's
>
> So? They're root, and they could do that *anyhow*. No exposure here.
>
> Now, if the user can trick the sysadmin into su'ing and running the
> user's .cshrc *instead* of the sysadmin's, that's more interesting.
if yo read the su manpages it goes like:
...
sh(1). If the first argument to su is a -, the environment is
changed to
what would be expected if the user actually logged in as the
specified
user. This is done by invoking the program used as the shell with an
arg0 value whose first character is -, thus causing the system's
profile
(/etc/profile) and then the specified user's profile (.profile in the
new
HOME directory) to be executed.
...
and this works as expected: if you add the - option nothing evil happens.
otherwise you're lost ;) (at my machines at least...)
> >-- End of excerpt from Valdis.Kletnieks@VT.EDU
merry x-mas,
philipp
---
Sent through Global Message Exchange - http://www.gmx.net
