Re: bin ownership problem

[lcbginge () antelope wcc edu (Bruce Gingery)]

  And on ONE system of my acquaintance, bin was for some reason set to
uid=0, left defaulted to /bin/sh and / and null passworded.  I'm certainly
not going to post WHERE this was, but suffice that it's networked and is
not *this* host nor directly connected to it.  The report of that
condition was from another party who has access to the host.  I do not
know if this has been corrected.  

  If anyone is "lurking" here a quick grep of passwd might be in order if
you have some hosts that are predominantly "left alone", usually accessed
via network rather than via directly attached terminals.   One more tip -
the system I am referring to is a Unix system.  The report of this setup
is now several months old, so COULD have been discovered and repaired,
though I doubt it.

   On that system, nothing "seems" to be owned by root ;-)  Is this the
ULTIMATE in security by obscurity?

        Bruce Gingery


---
        bruce () TotSysSoft com
        lcbginge () antelope wcc edu

        NeXT-mail and MIME-mail welcome


On Thu, 19 May 1994, Perry E. Metzger wrote:

> Brian Parent says:
> > Ok, I'll expose my ignorance and ask, what is the specific vulnerability
> > of bin owned files?  I understand how it is a problem on NFS exported
> > files to insecure hosts, but what is the risk for files/dirs on a locally
> > non-exported file system?  What about groups, is bin a bad group also?
>
> 1) Someday, your file system might end up being exported.
> 2) On many systems, breaking bin is easier than breaking root.
>
> Perry