SUID shells...aaarrgghh

To: debian-user@lists.debian.org
Subject: SUID shells...aaarrgghh
From: Garry Myers <garry@menzies.su.edu.au>
Date: Tue, 14 Oct 1997 23:49:19 +0930 (CST)
Message-id: <[🔎] Pine.SUN.3.95.971014232329.15688A-100000@sun1>
Reply-to: garry@menzies.su.edu.au

-----BEGIN PGP SIGNED MESSAGE-----

Ok..this is driving me mad and my curiosity is piqued...

A mate of mine (using RedHat) was hacked (probably from associating with
the wrong company on IRC, most likely) - cleaning up his system, we
found multiple backdoors, including the obvious series of SUID shells
scattered around his file system.  This prompted me to go over my Debian
1.3 setup for any glaring holes etc.  This done, I thought I'd
show him how the SUID shells were generated as I *thought* I knew how it
was done (actually I thought it was bloody obvious)...I didn't think there
was a way to prevent SUID shells being generated once root was obtained - 

so, logging into console as root

$ cp /bin/bash /bin/somefile

$ ls -l /bin/somefile
- -rwxr-x--- 1 root root 318612 Oct 14 22:44 /bin/somefile

$ chmod a+xs /bin/somefile
- -rwsr-s--x 1 root root 318612 Oct 14 22:44 /bin/somefile

Presumably a hacker (or cracker to be precise) would chgrp to root if root
was gained by some exploit.  Exiting and logging in as test_user (created
for the purpose), when I execute /bin/somefile and do whoami and id,
test_user is still controlling the shell with uid guid etc set to
test_user.  I've tried a number of variations on the above but to no
avail.  I *hate* the idea of not knowing how to do something that some
IRC #hack juvenile can!  I know I'm missing something awfully obvious
here or else I've got something new to crow about regarding Debian to my
linux-challenged (read RedHat and Slackware :) ) friends...

So, if anyone can point out my glaring mistake, I'd appreciate it 
- - given the sensitivity of this issue, perhaps a direct e-mail to me is
more appropriate?

Cheers,

Garry.

- ---

Garry Myers				
Molecular Genetics Unit			
Menzies School of Health Research	Australia
garry@menzies.su.edu.au


-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: ascii

iQCVAwUBNEN/cTz3dXoN8gFNAQHhoQP/VGK/wWCvCjQL32oFeEZ9rqJEK1qjJi/p
GzcyJjZEMUBP928SBotc/zUldMVMK6HALCy5zh79RSnfNcJ/B6NEKwbL3a1cjjO7
6n+5ojCOr5c2q8qUoQuDS7EPFmr+1/ypOI+U/kB6wWSioI9L6UWrSQE3zj+pwoZA
3m4c3wIoYLQ=
=wYs+
-----END PGP SIGNATURE-----


--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-user-request@lists.debian.org . 
Trouble?  e-mail to templin@bucknell.edu .

Reply to:

Follow-Ups:
- Re: SUID shells...aaarrgghh
  - From: Joey Hess <joey@kite.ml.org>

Prev by Date: /dev files
Next by Date: Re: Upgrading ghostscript?
Previous by thread: Re: /dev files
Next by thread: Re: SUID shells...aaarrgghh
Index(es):
- Date
- Thread