[prev in list] [next in list] [prev in thread] [next in thread]
List: freebsd-hackers
Subject: Re: I need help on this one - please help me track this guy down!
From: Julian Assange <proff () suburbia ! net>
Date: 1996-06-25 10:27:06
[Download RAW message or body]
> > Assume root has "." in its path. Hacker puts this little script in
> > his dir, maybe also in /tmp/; it's called "ls" (imagine the
> > coincidence), and it's executable by all:
> >
> > #!/bin/sh
> > chown root /bin/sh > /dev/null 2>&1
> > chmod u+s,a+x /bin/sh > /dev/null 2>&1
> > ls $\*
> >
> > Then sits back and waits for the sysadmin to come along and type "ls"
> > in one of those directories.
> >
> > Pop quiz: what is the result?
>
> Never thought about that one....
>
> Vince
The result is nothing, unless root's path is ".:$PATH" - hardly a common
occurance.
What does achieve more success is placing common typographical mistakes
in the path as trojans. e.g "sl" or "sl-la" or "ls-la" etc.
For this reason only root should not have "." appeneded to the system path.
I created kernel level trust circles, so untrusted executables will not be
executed. Untrusted is defined as file uid >10 && (file uid !=euid || file uid
!= uid) || file mode &022. This is not in -current. I hadn't bothered to
submit it as I thought it was a little standards breaking (or was that
standards creating ?;) A sysctl perhaps. Are people interested in this?
But in terms of temp directories and spool directories, these should all
be mounted nosuid, noexec, nodev, which solves your problem anyway, and
without kernel hackery.
--
"Of all tyrannies a tyranny sincerely exercised for the good of its victims
may be the most oppressive. It may be better to live under robber barons
than under omnipotent moral busybodies, The robber baron's cruelty may
sometimes sleep, his cupidity may at some point be satiated; but those who
torment us for own good will torment us without end, for they do so with
the approval of their own conscience." - C.S. Lewis, _God in the Dock_
+---------------------+--------------------+----------------------------------+
|Julian Assange RSO | PO Box 2031 BARKER | Secret Analytic Guy Union |
|proff@suburbia.net | VIC 3122 AUSTRALIA | finger for PGP key hash ID = |
|proff@gnu.ai.mit.edu | FAX +61-3-98199066 | 0619737CCC143F6DEA73E27378933690 |
+---------------------+--------------------+----------------------------------+
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic