The 'Security Digest' Archives (TM)

Archive: About | Browse | Search | Contributions | Feedback
Site: Help | Index | Search | Contact | Notices | Changes

ARCHIVE: Core 'Security Digest' - Archives (1990 - 1991)
DOCUMENT: Core 'Security Digest' V1 #11 1991-02-10 (1 file, 1236 bytes)
SOURCE: http://securitydigest.org/exec/display?f=core/archive/111.txt&t=text/plain
NOTICE: securitydigest.org recognises the rights of all third-party works.

START OF DOCUMENT


Date: Sun Feb 10 21:02:24 PST 1991
Subject: Core Security Digest V1 #11

Core Security Digest Volume 1 Issue 11

subject(s):

            hp/ux 7.0 glaring security hole

The unix core security mailing list is by invitation only and contains
sensitive material which SHOULD NOT BE REVEALED to non-members.
DO NOT PUT ANY LIST CONTENTS IN LOCATIONS ACCESSABLE TO NON-MEMBERS.
If you must keep copies on-line, please encrypt them at the very least.

PLEASE POST TO:                              core@uninet.cpd.com
PLEASE SEND EMERGENCY ALERTS TO:   core-emergency@uninet.cpd.com
PLEASE SEND REQUESTS TO:             core-request@uninet.cpd.com


------------------------------------------------------------------------

Date: Sun, 10 Feb 91 20:28:48 PST
From: neil (Neil Gorsuch)
Subject: hp/ux 7.0 glaring security hole

[ hp/ux still has not changed their write() function as has been done
on Sun, Solbourne, MIPS, NeXT, IBM 6000 and others (those are the only
machines in my office right now 8-).  And to make things much worse,
they are now (with hp/ux 7.0) shipping a set-uid root group writable
file as follows (according to William Walker):

} under hp/ux 7.0 (on the 800's at least, my 400's are still crated)
} the distribution tapes create /etc/proxy as...
} $ ls -l /etc/proxy
} -rwsrwxr-x   1 root     other      47104 Jan 24 14:06 /etc/proxy

All of my systems that have the modified write() include the following
paragraph as part of their man page on write(), and "pass" the test
following that:

     If the real user is not the super-user, then write()  clears
     the set-user-id bit on a file.  This prevents penetration of
     system security by a user who  "captures"  a  writable  set-
     user-id file owned by the super-user.

% groups
neil ...
% su
Password:
wizard# cd /etc
wizard# cp hosts test
wizard# chmod 4775 test
wizard# chgrp neil test
wizard# ls -lg test
-rwsrwxr-x  1 root     neil          165 Feb  7 23:33 test*
wizard# exit
% cd /etc
/etc
% cat hosts >>test
% ls -lg test
-rwxrwxr-x  1 root     neil          330 Feb  7 23:34 test*

Whereas, on the hp it is reported that it behaves as follows:

$ whoami
wrwalke
$ groups
adm ...
$ su
Password:
# cp hosts test
# chmod 4775 test
# chgrp adm test
# ls -l test
-rwsrwxr-x   1 root     adm         9300 Feb  8 09:37 test
# exit
$ cat hosts >> test
$ ls -l test
-rwsrwxr-x   1 root     adm        18600 Feb  8 09:38 test
$

- neil ]

------------------------------------------------------------------------

        End of Core Security Digest Volume 1 Issue 11
        **********************

END OF DOCUMENT