Re: From the moderator: READ Please

[claudio () fire di unipi it (Claudio Telmon)]

I'm sorry for the wasted bandwidth, so I'll send something more interesting
(I hope :)). Two problems, not really bugs. I've found them on Linux, but you
may find them on other u**x too.
1) Some new releases of sendmail install the program as group kmem.
I can't see any good reason for this, if I'm wrong please correct me. This
group is dangerous, because it is able to read the kernel and physical memory.
I was able to get a shell as group kmem via the old ident bug, and to find some
fragments of the shadow passwords file in the kernel memory. Newer bugs may
give the same opportunity. 
2) There is a (known?) way to run an arbitrary script files as suid/sgid 
without the neeed to set the permissions bits. 
All you need is write permissions in the /var/spool/atjobs directory. 
This because atrun uses the user/group of the files in the directory to 
suid/sgid before execution. If you can add a link in the directory to your 
target file, atrun will execute it as suid/sgid.
If you have write permissions to a file, you can write a script in it and
run it suid to the owner. There are some limits: it won't work on a NFS
mounted file system, and maybe it works only on the file system of 
/var/spool/atjobs. The problem, IMHO, is that using file ownership as
sticky bits is not correct. 
On my linux, the directory is owned by bin. Bin haves little or no other
permissions ( most files are owned by root), but this way it becomes a
very dangerous user.

Ciao

- Claudio