Re: Reminder for ppl (ANOTHER SGI BUG!)

[ishtar () CAL022011 STUDENT UTWENTE NL (Henri Karrenbeld)]

At 11:56 19/5/97 -0600, you wrote:
>  Eric's blind defense of IRIX (without even trying my exploit) has lead
> to the discovery of yet another major IRIX bug. Read on...

[snip]

> > BTW, since SUID shell scripts are diabled by default on every SGI, you must
> > have enabled them for your exploit to work.
> >
> > 1# systune | grep uid
> >         nosuidshells = 1 (0x1)
>
>  Wow, here's another bug. Apparently that flag does nothing at all:
>
> .remise.mcn,~ {1} # uname -a
> IRIX remise 6.2 03131015 IP22
> .remise.mcn,~ {2} # systune | grep uid
>        nosuidshells = 1 (0x1)
> .remite.mcn,~ {3} # exit
> .remise.mcn,~ {9} > reg4root
> # id
> uid=100(mcn) gid=20(user) euid=0(root)
>
> ....
>
> reg4root is the exact exploit I posted late last week. It creates a setuid
> shell, and executes it. I guess the nosuidshells flag doesn't do anything?

Oh yes, it sure should be doing something... however, not the thing you
think it should be doing: it does NOT disable suid shells.

So what does it do? There is probably some info in the manpage of systune,
but as far as I can remember it should disable setuid _shellscripts_ and
_not_ setuid shells. For IRIX a shell is just a binary like any other
binary, so the setuid bit works like with any other program. As far the name
is concerned...
I guess 'nosuidshells' means 'NOSetUIDSHELLScripts'

$) Henri
Hardware, n.:
The parts of a computer system that can be kicked. - nn.

If God used E-mail, he'd use PGP. - myself