[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Security hole

To: Hartmut Keller <Keller@informatik.uni-stuttgart.de>
Subject: Re: Security hole
From: "Konrad M.Kokoszkiewicz" <draco@mi.com.pl>
Date: Thu, 28 Aug 1997 20:51:34 +0200 (MET DST)
Cc: mint@atari.archive.umich.edu
In-reply-to: <199708271450.QAA29339@droste>
Reply-to: "Konrad M.Kokoszkiewicz" <draco@mi.com.pl>

Hello,

> > Experiment I.
> > [...]
> > 8) do "rm testfile"
> 
> Removing a file only needs write access to the directory, *not* to the
> file itself. So this is a perfectly correct behaviour. (It's the same
> on all Un*x versions that I know.)

Uhm, I willl check this... anyways, even if it s a perfeclty correct
behaviour, I think it should be fixed. "w" should also mean you can erase
the file...

> > Experiment II.
> 
> > 1) Log in as a regular user (group users)
> > 2) do "ftp localhost"
> > 3) login to your regular FTP account (the same as for shell)
> > 4) cd to /proc
> > 5) do "del init.001" :)))))
> 
> Here I can only guess, as I don't know exactly how these things work
> under mint. Usually the ftpd is invoked by the external access via the
> net. Here the access is from the local machine, but this doesn't
> matter. Usually ftpd runs as set uid root or even under root itself,
> so removing anything is possible. But logging in as a normal user
> should result in switching the uid of the ftpd, for example by forking
> a child. So there seems to be a mistake in the login procedure of
> ftpd.

The ftpd does an euid switch, not uid. I had no time to test what will
happen if you switch uid too but I guess it would be unable to access
sockets. Anyways, I am sure Linux/OpenBSD server does exactly the same,
but you're unable to kill processes cause they're all -r--r--r-- and such
stuff... Besides, /proc is dr-xr-xr-x, but I am not sure MiNT can be fixed
to do it easily...

> When switching to anonymous ftp, the uid is definitely changed to a
> virtual user usually called ftp and this user is not allowed to remove
> any processes.

When switching to the anonymous ftp, you have no /proc access :)

Bye

Konrad M.Kokoszkiewicz

mail:draco@nidus.mi.com.pl
     draco@irc.pl
     draco@piwo.bl.pg.gda.pl
     conradus@avanti.orient.uw.edu.pl
     conradus@plearn.edu.pl
     draco@nuova.id.uw.edu.pl
http://www.orient.uw.edu.pl/~conradus/
 IRC:[Draco]

*** Ea natura multitudinis est,
*** aut servit humiliter, aut superbe dominatur.
*************************************************
*** U pospolstwa normalne jest, ze albo sluzy ono
*** unizenie, albo bezczelnie sie panoszy.
                                           (Liv. XXIV, 25)

References:
- Re: Security hole
  - From: Hartmut Keller <Keller@informatik.uni-stuttgart.de>

Prev by Date: Re: News onthe kernel 1.14.x
Next by Date: Re: Security hole
Previous by thread: Re: Security hole
Next by thread: Re: Security hole
Index(es):
- Date
- Thread