Re: /bin/rm file access vulnerability

[Jeffrey Denton <dentonj () gmail com>]

Nothing new here.  That is one of the problems with DAC systems, the
admin has total control over the system.

With UNIX/Linux, it's even possible for users to delete files from
their home directory even if they are owned by root.  Say for example,
the admin wants to create a zero length .rhosts file to prevent the
user from using that file to open a hole in the system:


username@hostname:~$ ls -l .rhosts
/usr/bin/ls: .rhosts: No such file or directory
username@hostname:~$ su
Password:
root@hostname:/home/username# id
uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy)
root@hostname:/home/username# touch .rhosts
root@hostname:/home/username# ls -l .rhosts
-rw-r--r--  1 root root 0 2004-12-30 20:04 .rhosts
root@hostname:/home/username# exit
exit
username@hostname:~$ id
uid=1000(username) gid=1000(username)
groups=1000(username),10(wheel),11(floppy),17(audio),18(video),19(cdrom)
username@hostname:~$ rm .rhosts
/bin/rm: remove write-protected regular empty file `.rhosts'? y
username@hostname:~$ ls -l .rhosts
/usr/bin/ls: .rhosts: No such file or directory
username@hostname:~$ ls -ld /home/username/
drwx--x--x  59 username username 8192 2004-12-30 20:05 /home/username/

This is not new.  From the book, "Practical UNIX & Internet Security",
2nd Ed., page 116:

"To unlink a file from a directory, you need only have write and
execute access to that directory even if you have no access rights to
the file itself."

Every so often, someone "discovers" this security hole in UNIX/Linux.

To prevent the above from happening, use a MAC or a RBAC system such
as Trusted Solaris.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html