Bugtraq mailing list archives
Re: Digital Unix 4.0E /var permission
From: jtb () THEO2 PHYSIK UNI-STUTTGART DE (Jochen Thomas Bauer)
Date: Tue, 6 Apr 1999 10:47:26 +0200
Hello, On Sun, 4 Apr 1999 Harhalakis Stefanos wrote:
On Digital Unix 4.0E with the latest patch kit aplied, after a new installation /var has g+w for group system.
This problem seems to exist in other versions of Digital Unix, too. At least on Digital Unix 4.0c and 4.0d (Factory Installed Software, no patches applied, CDE in use) /var, which in my case is a link to /usr/var, has drwxrwxr-x 28 root system 512 Feb 11 12:58 /usr/var/ permissions. However, on Digital Unix 4.0b (Patch kit DUV40BAS00008- 19980821 applied, Software installed from CD, CDE in use) /usr/var has drwxr-xr-x 23 root system 512 Feb 11 1998 /usr/var/ permissions.
The whole thing is done while executing /sbin/rc3.d/S95xlogin and only if CDE is selected.
This does not seem to be the case for Digital Unix 4.0c and 4.0d. There is no chmod of /var in /sbin/rc3.d/S95xlogin.
Anyone that can crack any account with gid==system may exploit this (not tested but there should be no problem with mv'ing /var/sbin, /var/adm etc etc..).
Or do the following: CDE's Xconfig file is a link from /var/dt/Xconfig to the actual config file. Moving /var/dt and creating your own /var/dt, you could replace the system Xconfig file with your own version which has the session manager specification Dtlogin*session: /usr/dt/bin/Xsession replaced with something more evil. Then just wait for root to log in on the console.... -- Jochen Bauer Institute for Theoretical Physics University of Stuttgart Germany PGP public key available from: http://www.theo2.physik.uni-stuttgart.de/jtb.html
Current thread:
- Re: Digital Unix 4.0E /var permission Jochen Thomas Bauer (Apr 06)
- <Possible follow-ups>
- Re: Digital Unix 4.0E /var permission Paul Szabo (Apr 06)