Bugtraq mailing list archives
Re: Irix logs + su
From: pmws () GMX NET (pmws () GMX NET)
Date: Mon, 21 Dec 1998 12:26:27 +0100
Subject: Re: Irix tape devices + logs + su hi, i hope this is no grey bearded stuff ;) On Dec 18, 6:05pm, Valdis.Kletnieks () VT EDU wrote:
Subject: Re: Irix tape devices + logs + suAlso, /var/adm/SYSLOG contains the failed login names (even if they don't exist) and by default, this file is forced to be mode 644
(root's
crontab will take care for this, when rotating the logs).This can be an issue.
there is a much more funny 'feature': if you add an user via addUserAccount this action is logged in SYSLOG including the (crypted) password (seen on a origin 2000). to me, this makes /etc/shadow rather useless. on my machines i cannot reproduce this behavior. is there anybody who has seen this before??
Finaly, when using su, the user's .cshrc will be executed with privileges of the target user (if the su is succesful). For example, if user nobody has a cp /bin/sh /tmp; chmod 6755 /tmp/sh in his .cshrc and he use su to become root, a rootshell will be available in /tmp :) This is valid only for succesfull su'sSo? They're root, and they could do that *anyhow*. No exposure here. Now, if the user can trick the sysadmin into su'ing and running the user's .cshrc *instead* of the sysadmin's, that's more interesting.
if yo read the su manpages it goes like: ... sh(1). If the first argument to su is a -, the environment is changed to what would be expected if the user actually logged in as the specified user. This is done by invoking the program used as the shell with an arg0 value whose first character is -, thus causing the system's profile (/etc/profile) and then the specified user's profile (.profile in the new HOME directory) to be executed. ... and this works as expected: if you add the - option nothing evil happens. otherwise you're lost ;) (at my machines at least...)
-- End of excerpt from Valdis.Kletnieks () VT EDU
merry x-mas, philipp --- Sent through Global Message Exchange - http://www.gmx.net
Current thread:
- Re: Irix logs + su pmws () GMX NET (Dec 21)