Bugtraq mailing list archives
Re: Digital Unix 4.0E /var permission
From: implosion () BROKEN NE MEDIAONE NET (implosion)
Date: Tue, 6 Apr 1999 10:18:28 -0500
First of all, under Digital UNIX, the system group is the group that is 'pseudo-root', i.e. have near root privilages and are allowed to su into root. /var, which under a default install, is a sym-link to /usr/var, contains all of the system accounting files, LSM, and other system specific files that all System Administrators would need to run thier system. So, it is only logical that system have write permissions to that directory. Also, one should note that any system administrator should (and would, I would hope), only put _secure_ accounts in the system group, i.e. any account that is going to utilize a safe password and those accounts are not going to have set-uid or gid executables attached to them. One more note: as an ls -la of /sbin/rc3.d would show you, S95xlogin is only a sym-link to /sbin/init.d/xlogin. The S95 is there so when init comes up to run level 3, it will start (the S tells it that), and the 95 is placed there to put it in order - you add a numeric number to the front of the executable, so when the rc3 script processes /sbin/rc3.d, it gets launched after certain daemons and programs that need to be running in order for it to start. To the best of my knowledge, xlogin isnt doing anything to the /var permissions. -Implosion On Sun, 4 Apr 1999, Harhalakis Stefanos wrote:
On Digital Unix 4.0E with the latest patch kit aplied, after a new installation /var has g+w for group system. Anyone that can crack any account with gid==system may exploit this (not tested but there should be no problem with mv'ing /var/sbin, /var/adm etc etc..). It seems that CDE is forcing g+w to /var.. The whole thing is done while executing /sbin/rc3.d/S95xlogin and only if CDE is selected. <<V13>>
Current thread:
- Re: Possible local DoS in sendmail, (continued)
- Re: Possible local DoS in sendmail Gregory Neil Shapiro (Apr 02)
- Re: Possible local DoS in sendmail Michał Szymański (Apr 02)
- Long-standing bug in AustNet IRC network Virtual World Grant Bayley (Apr 02)
- Re: Long-standing bug in AustNet IRC network Virtual World Paul McGovern (Apr 05)
- Re: Long-standing bug in AustNet IRC network Virtual World Henrik Edlund (Apr 06)
- Re: Long-standing bug in AustNet IRC network Virtual World Sean Kelly (Apr 07)
- Netcache snmp behaviour Marco Davids (Apr 06)
- Procmail version 3.13.1 released Philip Guenther (Apr 06)
- Digital Unix 4.0E /var permission Harhalakis Stefanos (Apr 04)
- ucd snmp vacm's public community access auth probs? + + (Apr 06)
- Re: Digital Unix 4.0E /var permission implosion (Apr 06)
- Re: Digital Unix 4.0E /var permission Harhalakis Stefanos (Apr 06)
- rsync 2.3.1 release - security fix Andrew Tridgell (Apr 07)