[13761] in Athena Bugs
sun4 7.7T: security bug
daemon@ATHENA.MIT.EDU (Matteo Frigo)
Sun Aug 20 16:58:29 1995
To: bugs@MIT.EDU
Date: Sun, 20 Aug 1995 16:58:23 EDT
From: Matteo Frigo <matley@MIT.EDU>
System name: m11-113-8
Type and version: SPARC/Classic 7.7T
Display type: cgthree
What were you trying to do?
[Please replace this line with your information.]
at -f /etc/shadow now + 1 day
cat /var/spool/atjobs/*.a
# look at /etc/shadow, you shouldn't be able to read.
What's wrong:
[Please replace this line with your information.]
There is a security bug in Solaris 2.3: 'at' allows any user to
read any file in the system. I don't know how this bug interacts
with kerberos. Basically the problem is as follows:
1) 'at' accepts the flag '-f' as an indication of the script to
execute.
2) however it reads *any* file, independently of the permissions
(under standard Unix Filesystem, don't know what happens with AFS).
3) you can then find the file in the spool directory, owned by you.
What should have happened:
[Please replace this line with your information.]
Please describe any relevant documentation references:
[Please replace this line with your information.]
There should be a patch by Sun: I can look around if you don't find it.
------
Regards
Matteo Frigo
