Bugtraq mailing list archives
Re: Tightening up SunOS 5.4 (was Re: Hardened OS)
From: proff () suburbia net (Julian Assange)
Date: Thu, 2 Nov 1995 16:21:50 +1100
If anyone got on a firewall setup like this it is simple to compile a binary offsite to suit the architecture, static if necessary, and import it, run it and then have that binary act as a personal ftp/shell/port login process. Have a nice day Mark mark () lochard com au
I modified our kernel to do trust circles (mainly mods to exec.c) quite some time ago. To put it simply, only non group and world writable binaries owned by "trusted" users (root, etc) in trusted user owned directories can be executed . This goes for #! expansion as well. If however a user is in the "exec" group then they can execute their own binaries. Bypassing this system requires the privilages of the trusted user or root. Using a flaw to create, or finding a group or world writeable file owned by a trusted user and placing your code into it will not work, unless you can turn off the group/world write permission afterwards. Attempted trust violations are klogged. Every time the latest IFS (etc) style "execute my code now", kernel call bug or race condition is found, I amuse myself by watching the frustration of people trying to exploit it. The reason the directory in which the trusted binary lays must also be trusted is that one can do things like: $ cd /tmp $ ln /sbin/reboot usr $ export IFS=/ $ neil+karl_food -y -- +----------------------------------+-----------------------------------------+ |Julian Assange | "if you think the United States has | |FAX: +61-3-9819-9066 | has stood still, who built the largest | |EMAIL: proff () suburbia net | shopping centre in the world?" - Nixon | +----------------------------------+-----------------------------------------+
Current thread:
- Re: Tightening up SunOS 5.4 (was Re: Hardened OS) Julian Assange (Nov 01)