Re: NMO not setuid-root (Unix-only)

Jonathan Leffler wrote:

> chmod u=srx,g=sx,o=x ...
>
> It's simpler to use 6511 from where I sit (but twenty years of
> thinking of permissions in octal has probably distorted the neuronic
> pathways a bit :-).

Hey, I cut my teeth in hexa! Octal is too uncompressed for me.
:)

> the intruder has got root privileges on your machine. A careful
> intruder would target the insecure executable carefully to cover
their
> tracks:
>
> cp -p /insecure/program /tmp
> cp /bin/ksh /insecure/program
> /insecure/program
> ...this runs a Korn shell and in that shell, intruder executes...
> cp -p /tmp/program /insecure/program
> ...and probably ensures they can get back into the system on
demand...
> cp /bin/ksh /...
> chmod 4555 /...

LOL! Precious!

> didn't change, etc). An alternative to /... is an odd-ball name like

> /bin/procchk - which doesn't usually exist as an ordinary program but

> looks plausibly Unixy and might just need SUID root privileges in the

> ordinary course of events.

Hehehe! Lure them away with the truth. :)

> Jonathan Leffler #include <disclaimer.h>
> Email: jleffler_at_earthlink.net, jleffler_at_us.ibm.com
> Guardian of DBD::Informix v2003.04 -- http://dbi.perl.org/

I knew there had to be some good *nix stuff in an Informix man. Thanks a lot for the excellent and informational post, Jonathan. Received on Wed Dec 01 2004 - 05:26:16 CST