[3013] in bugtraq
Re: bin owned system files
daemon@ATHENA.MIT.EDU (Mark Riggins Mark.Riggins@att.com)
Thu Jul 25 19:54:41 1996
Date: Thu, 25 Jul 1996 19:00:36 -0400
Reply-To: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: "Mark Riggins Mark.Riggins@att.com" <mdr@vodka.sse.att.com>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
In-Reply-To: <v03007610ae1d9f0f87cb@[128.10.9.66]> from "Gene Spafford" at Jul
25, 96 05:18:39 pm
Gene's right. I've seen exploits based on this. For example
many systems can be configured to dissallow root login from anything
but the console, but they will allow bin or sys or any number of
other logins that lead to root.
Its basically a bad idea to give control of the files to an ID with
less restrictive or different permissions.
Mark Riggins
Secure Systems Engineering
AT&T Bell Labs
