Re: list scripts, permissions, and ownerships.

From: Eric Anderson (anderson@centtech.com)
Date: 11/14/02

• Next message: Jacques A. Vidrine: "Re: FreeBSD Security Advisory FreeBSD-SA-02:43.bind"
• Previous message: Alexandr Kovalenko: "Re: FreeBSD Security Advisory FreeBSD-SA-02:43.bind"
• In reply to: Kirk Bailey: "Re: list scripts, permissions, and ownerships."
• Next in thread: Anthony Schneider: "Re: list scripts, permissions, and ownerships."
• Reply: Anthony Schneider: "Re: list scripts, permissions, and ownerships."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 14 Nov 2002 07:32:23 -0600
From: Eric Anderson <anderson@centtech.com>
To: Kirk Bailey <idiot1@netzero.net>

Kirk Bailey wrote:
> oops. I quote:
>
> 7.Is the target user NOT superuser?
>
> Presently, suEXEC does not allow 'root' to execute CGI/SSI
> programs.
>
> Alas, the file appears to be owned by root. Now what?

I'm assuming by "owned by root" you mean setuid bit is on and the
ownership is root? Just making a file owned by root doesn't make it run
as root. If you DID have the setuid bit on, and it IS root owned, you
are in dangerous waters. It's not really a great idea to have suid root
programs running from a web site - all it takes is for you to miss one
thing and the "evil hacker" has root access on your box, instead of just
access as "nobody".

The nobody user should be able to read the aliases file just fine with
no extra permissions.

Eric

-- 
------------------------------------------------------------------
Eric Anderson	   Systems Administrator      Centaur Technology
Beware the fury of a patient man.
------------------------------------------------------------------
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Next message: Jacques A. Vidrine: "Re: FreeBSD Security Advisory FreeBSD-SA-02:43.bind"
• Previous message: Alexandr Kovalenko: "Re: FreeBSD Security Advisory FreeBSD-SA-02:43.bind"
• In reply to: Kirk Bailey: "Re: list scripts, permissions, and ownerships."
• Next in thread: Anthony Schneider: "Re: list scripts, permissions, and ownerships."
• Reply: Anthony Schneider: "Re: list scripts, permissions, and ownerships."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages BDT_AV200212140001: Insecure default: Using pam_xauth for su from sh-utils package ... Bedatec Security Advisory 200212140001 ... Vendor status: Vendor will make updated packages available shortly ... for root, if root uses su in order to assume the id of a less priviledged ... This file is owned by the target user and only readable by the target ... (Bugtraq) Re: Change from one user to another in program. ... It's laughably easy for the root user to change its ... information to execute as this target user from within ... The easiest way to accomplish this is by using remote shell - remsh ... is only as secure as your network, ... (comp.unix.programmer) Re: Change from one user to another in program. ... >It's laughably easy for the root user to change its ... >information to execute as this target user from within ... >or a child of a direct login. ... Running su through a pty should work -- a pty is considered a "genuine ... (comp.unix.programmer) Change from one user to another in program. ... It's laughably easy for the root user to change its ... information to execute as this target user from within ... or a child of a direct login. ... The method needs to work even if the ... (comp.unix.programmer) Re: Emergency! please help with file system access issue ... My friend was a security expert so I am sure ... > you now have root access and can change the password. ... Some systems are configured to ask for root password if you type "linux 1". ... (comp.os.linux.security)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint