On Fri, Jan 19, 2001 at 01:06:40AM -0500, Mark H. Weaver wrote: > What about non-hurd-aware setuid/setgid programs which trust the > authenticity of their config file based on its location within the > filesystem? I'm too lazy to research any particular program to see if > it would have this problem, but I can certainly imagine such problems. > > For example, a setuid program mysudo might read a config file > /etc/mysudoers, telling it which users are allowed to become root. If > it were hurd-aware and/or extra careful, it would check the owner of > the file, but since it isn't, it naively assumes that the file's > legitimate because it's in /etc > > Now I can do the following within my home directory: > > mkdir myroot > cd myroot > mkdir etc > echo myname > etc/mysudoers > ln /usr/bin/mysudo . > cp /bin/sh . > chroot . > ./mysudo chown root.root ./sh > ./mysudo chmod 4555 ./sh > exit > ./sh > > and now I've got a root shell. Am I missing something? neal@hurd:~ (0)$ mkdir root neal@hurd:~ (0)$ cp `which sudo` root neal@hurd:~ (0)$ ls -l `which sudo` root -rwsr-xr-x 1 root root 48304 Jul 26 1999 /usr/bin/sudo root: total 48 -rwsr-xr-x 1 neal neal 48304 Jan 19 01:09 sudo It is not going to work if it is not suid root.
Attachment:
pgpLszCkrWzmP.pgp
Description: PGP signature