[1442] in linux-security and linux-alert archive
[linux-security] (Linux) security hole
daemon@ATHENA.MIT.EDU (Arjan Vos)
Fri Feb 7 03:50:04 1997
Date: Fri, 7 Feb 1997 00:23:01 +0100 (MET)
From: Arjan Vos <arjan@pino.demon.nl>
To: bugtraq@netspace.org, linux-security@redhat.com
Resent-From: linux-security@redhat.com
Reply-To: linux-security@redhat.com
Hi all,
Though this bug is an old one, it is still applicable to at least
Red Hat 4.0 on Intel and ALPHA, and probably other distributions. It may
even extend to other Unix implementations as well, although we have not
tested them (at all or thoroughly).
Create a user with user id 65536. When logging in as this user, running
the id command will yield root (in other words, there are only 16 bits in
a uid). /etc/securetty and ftp restrictions are bypassed when connecting
through the net. The 'r' commands may allow access or not, this appear to
be implementation dependend.
Does this 'feature' apply to other platforms/Unix versions as well?
[mod: We try not to publish old stuff. On the other hand, as a
reminder to "younger" people I think a single message about an older
issue could be warranted. I DON"T want any discussion about this
"problem". This is just a statement of fact. OK?
Traditionally Unix systems use 16 bit numbers to represent uids. This
leads to the observed behaviour. Wether or not the "r" commands and
deamons use a 16 bit uid (and consider this uid == 0) or incorrectly use
a 32 bit uid is an implementation question, and will differ from
system to system. -- REW]
Arthur Donkers
Le Reseau
arthur@reseau.nl
Arjan Vos
KPMG EDP Auditors
avos@kpmg.nl (work)
arjan@pino.demon.nl (private)