Re: Security hole

[Hartmut Keller <Keller@informatik.uni-stuttgart.de>]

Hello,

>>>>> ""Konrad" == "Konrad M Kokoszkiewicz" <draco@mi.com.pl> writes:

> Experiment I.
> [...]
> 8) do "rm testfile"

Removing a file only needs write access to the directory, *not* to the
file itself. So this is a perfectly correct behaviour. (It's the same
on all Un*x versions that I know.)

> Experiment II.

> 1) Log in as a regular user (group users)
> 2) do "ftp localhost"
> 3) login to your regular FTP account (the same as for shell)
> 4) cd to /proc
> 5) do "del init.001" :)))))

Here I can only guess, as I don't know exactly how these things work
under mint. Usually the ftpd is invoked by the external access via the
net. Here the access is from the local machine, but this doesn't
matter. Usually ftpd runs as set uid root or even under root itself,
so removing anything is possible. But logging in as a normal user
should result in switching the uid of the ftpd, for example by forking
a child. So there seems to be a mistake in the login procedure of
ftpd.

When switching to anonymous ftp, the uid is definitely changed to a
virtual user usually called ftp and this user is not allowed to remove
any processes.


Hartmut


----------------------------------------------------------------------
   Hartmut Keller, Universitaet Stuttgart, Institut fuer Informatik
          Abt. Programmiersprachen und Uebersetzer (SunTREC)
      Breitwiesenstr. 20-22, 70565 Stuttgart, Tel. 0711/7816-345
              E-Mail: keller@informatik.uni-stuttgart.de
----------------------------------------------------------------------