[2736] in bugtraq
Re: Publically writable directories
daemon@ATHENA.MIT.EDU (Bill Pemberton)
Tue Jun 18 12:59:54 1996
Date: Tue, 18 Jun 1996 11:57:48 -0400
Reply-To: Bugtraq List <BUGTRAQ@netspace.org>
From: Bill Pemberton <wfp5p@tigger.itc.virginia.edu>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@netspace.org>
In-Reply-To: <199606180820.KAA00245@mvmap66.ciw.uni-karlsruhe.de> from "Thomas
Koenig" at Jun 18, 1996 10:20:53 AM
Thomas Koenig writes:
>
> When an attacker does
>
> $ ln -s /tmp/some.file /etc/nologin
>
> and has root create /tmp/some.file, the problems are obvious. Question:
> Can this also create security problems for a 'normal' user?
>
Quite easily. What about:
ln -s /tmp/some.file /home/blah/.rhosts
If you can get user blah to open /tmp/some.file and put something like + +
in the file (this was the hole with elm).
Or, a simple screw-up-the-user:
ln -s /tmp/some.file /home/blah/.profile
--
Bill Pemberton wfp5p@virginia.edu
ITC/Unix Systems flash@virginia.edu
University of Virginia uunet!virginia!wfp5p
