Aucbvax.2986 fa.unix-wizards utzoo!decvax!ucbvax!unix-wizards Tue Sep 8 03:08:45 1981 >From pur-ee!bruner@Berkeley Tue Sep 8 01:02:07 1981 Re: /usr/spool/mail From decvax!ucbvax!unix-wizards Sat Sep 5 06:25:57 1981 Re: /usr/spool/mail : fa.unix-wizards >From MathStat.jmrubin@Berkeley Sat Sep 5 06:15:14 1981 From csvax:unix-wizards Sat Sep 5 05:33:33 1981 Subject: Re: /usr/spool/mail Newsgroups: fa.unix-wizards >From James.Gosling@CMU-10A Sat Sep 5 05:23:07 1981 If /usr/spool/mail is writable it's really easy to become super-user. 1. copy the shell to the file /usr/spool/mail/root 2. make it suid 3. send mail to root When the mail is sent to root the delivery program only appends the mail to the mailbox and chowns the file to root. *poof* you have a suid root shell. The easiest way to stop this is to not have /usr/spool/mail be writable. James. I don't think this would work because writing on a setuid file usually shuts off the setuid bits (and setgid bits); of course, this is installation dependent. Of course, chown is a priviledged call, but I suspect chown also turns off the setuid bits. (If it doesn't, then it should!) Joel Rubin Another way which gets around the setuid-cleared-on-write is to link your own mailbox to something like /bin/sh (or, if /usr is mounted on a different filesystem, something in /usr/bin or /usr/ucb that will be run by root). Mail a letter to yourself. You will now own the file, so copy in your own shell (or whatever) with a patch that will chown/chmod one of your files to be setuid-root. Unlink your mailbox and link /bin/sh to /usr/spool/mail/root (moving the real one out of the way momentarily, if necessary). Mail something to root to chown the altered shell back to root. Restore /usr/spool/mail/root. As soon as a super-user runs the altered program, you'll have access to root. Granted, this system requires some patience and is more vulnerable to detection (the inode modify and change times on /bin/sh will be different), but unless the system staff is super-alert to things like that you'll probably be home free. --John Bruner (pur-ee!bruner) ----------------------------------------------------------------- gopher://quux.org/ conversion by John Goerzen of http://communication.ucsd.edu/A-News/ This Usenet Oldnews Archive article may be copied and distributed freely, provided: 1. There is no money collected for the text(s) of the articles. 2. The following notice remains appended to each copy: The Usenet Oldnews Archive: Compilation Copyright (C) 1981, 1996 Bruce Jones, Henry Spencer, David Wiseman.