On Thu, Dec 28, 2000 at 02:34:50PM -0800, "Optyx - Uberhax0r
Communications"@SECURITYFOCUS.COM wrote:
> /usr/sbin/audlinks has the following behavior:
> $ id
> uid=100(optyx) gid=1(other)
> $ mkdir -p /tmp/b/dev
> $ ln -s /.rhosts /tmp/b/dev/.devfsadm_dev.lock
> $ su root
> Password:
> # /usr/sbin/audlinks -r /tmp/b
> # ls -l /.rhosts
> -rw-r--r-- 1 root other 4 Dec 28 14:28 /.rhosts
As far as I know audlinks is deprecated for at least Solaris 8.
Devfsadm(1M) maintains the /dev and /devices namespaces. It replaces the
previous suite of devfs administration tools including audlinks(1M).
Casper Dik already mentioned that the generated /.rhosts file would
be useless if you plan to gain root privilegdes using rsh/rlogin.
But I'd like to add that I can't see a real vulnerability in the above
scenario. audlinks is used to add the audio symlinks and the sound
directory to the devices of a system (/dev), why the hell should an
administrator create these files in a directory owned by user in /tmp.
I can only imagine that an administrator mounts another root filesystem
and creates audlinks manuals, e.g.
/usr/sbin/mount /dev/dsk/c0t0d0s0 /a
/usr/sbin/audlinks -r /a
But in this case /a wouldn't be worldwritable. I can't see any problem
with audlinks. Sorry.
Regards,
Konrad
--
Konrad Rieck <[EMAIL PROTECTED]> Roqefellaz - http://www.r0q.cx
Fingerprint: 3AA8 CF92 C179 9760 C3B3 1B43 33B6 9221 AFBF 5897
-- GPG Public Key http://www.r0q.cx/keys/kr.pub
