[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Security hole

To: MiNT mailing list <mint@atari.archive.umich.edu>
Subject: Security hole
From: "Konrad M.Kokoszkiewicz" <draco@mi.com.pl>
Date: Wed, 27 Aug 1997 15:10:25 +0200 (MET DST)

Hello,

I know some of us run multiuser configurations on their MiNT machines,
give accounts and accesses through the Net. I think it may be interesting
for them (for me too, as my Falcon has about 25 accounts on its disk :>):

There is a security hole, hudge just like a barn!

Please do the following experiments:

Experiment I.

1) Log in as root
2) Make somewhere a directory with permissions 777 (rwxrwxrwx). The best
place is the root directory of a Minix disk. Let the directory be called
"testdir":

drwxrwxrwx  root wheel  testdir

3) cd to it
4) make a regular file inside, called f.e. "testfile":

-rw-r--r--  root wheel  testfile

5) Log out.
6) Login as a regular user (group users).
7) cd to our "testdir"
8) do "rm testfile"
9) answer "y" if a question appears
10) do "ls -l" :)

Experiment II.

1) Log in as a regular user (group users)
2) do "ftp localhost"
3) login to your regular FTP account (the same as for shell)
4) cd to /proc
5) do "del init.001" :)))))

Summa summarum:

I was told about it as about a FTPD related problem, but last night I
discovered it is more common and generally it smells more like a kernel
imperfection (say it "bug" :)). Namely, a regular user is able to delete
(but is not able to overwrite!) any regular file belonging to root using
normal shell account but only if:

a) the directory containing the file is writable by all (777)
b) the user has a read access (?!)

Additionally, the user is able to remove ANY SYSTEM PROCESS using FTP
daemon (it is not possible from the shell, this is a thing I don't get).

It took me a while before I found a couple of mezozoic kernels to be sure
this problem is not a 1.14.x related problem. It is not (a 1.12 allows the
same).

Contemporary solution for FTP access: please enable "anonymous only" mode
for the server (-A). It is impossible to remove a process from anonymous
account.

Regards

Konrad M.Kokoszkiewicz

mail:draco@nidus.mi.com.pl
     draco@irc.pl
     draco@piwo.bl.pg.gda.pl
     conradus@avanti.orient.uw.edu.pl
     conradus@plearn.edu.pl
     draco@nuova.id.uw.edu.pl
http://www.orient.uw.edu.pl/~conradus/
 IRC:[Draco]

*** Ea natura multitudinis est,
*** aut servit humiliter, aut superbe dominatur.
*************************************************
*** U pospolstwa normalne jest, ze albo sluzy ono
*** unizenie, albo bezczelnie sie panoszy.
                                           (Liv. XXIV, 25)

Follow-Ups:
- Re: Security hole
  - From: Hartmut Keller <Keller@informatik.uni-stuttgart.de>

Prev by Date: Re: Announcement; VFAT_util
Next by Date: Re: Security hole
Previous by thread: Re: Announcement; VFAT_util
Next by thread: Re: Security hole
Index(es):
- Date
- Thread