Return to BSD News archive
Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!news.cs.su.oz.au!metro!metro!munnari.OZ.AU!news.ecn.uoknor.edu!feed1.news.erols.com!news.idt.net!news.bbnplanet.com!cam-news-hub1.bbnplanet.com!news.mathworks.com!fu-berlin.de!irz401!orion.sax.de!uriah.heep!news From: j@uriah.heep.sax.de (J Wunsch) Newsgroups: comp.unix.bsd.freebsd.misc Subject: Re: Why chown(2) is privileged? Date: 22 Nov 1996 00:15:39 GMT Organization: Private BSD site, Dresden Lines: 20 Message-ID: <572rbb$moi@uriah.heep.sax.de> References: <CANDY.96Oct24222129@xxx.fct.kgc.co.jp> <w7k9rsjv54.fsf@mud.imperium.net> <56vans$k8j@news1.iamerica.net> Reply-To: joerg_wunsch@uriah.heep.sax.de (Joerg Wunsch) NNTP-Posting-Host: localhost.heep.sax.de Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-Newsreader: knews 0.9.6 X-Phone: +49-351-2012 669 X-PGP-Fingerprint: DC 47 E6 E4 FF A6 E9 8F 93 21 E0 7D F9 12 D6 4E AJ Musgrove <musgrove@xavier.varmm.com> wrote: > % cp /bin/sh /tmp/backdoor > % chmod a+rwxs /tmp/backdoor > % chown root /tmp/backdoor > > Explanation: I make a copy of the shell, make it suid, then make root own > it. I now have a way to become root without knowning the password. > > I guess chown could be modified to removed the suid bit with chown'ing... It is, in all those systems that allow an arbitrary use to chown something. (chown(2), of course, the syscall itself.) -- cheers, J"org joerg_wunsch@uriah.heep.sax.de -- http://www.sax.de/~joerg/ -- NIC: JW11-RIPE Never trust an operating system you don't have sources for. ;-)