Ok..this is driving me mad and my curiosity is piqued...

A mate of mine (using RedHat) was hacked (probably from associating with
the wrong company on IRC, most likely) - cleaning up his system, we
found multiple backdoors, including the obvious series of SUID shells
scattered around his file system.  This prompted me to go over my Debian
1.3 setup for any glaring holes etc.  This done, I thought I'd
show him how the SUID shells were generated as I *thought* I knew how it
was done (actually I thought it was bloody obvious)...I didn't think there
was a way to prevent SUID shells being generated once root was obtained - 

so, logging into console as root

$ cp /bin/bash /bin/somefile

$ ls -l /bin/somefile
- -rwxr-x--- 1 root root 318612 Oct 14 22:44 /bin/somefile

$ chmod a+xs /bin/somefile
- -rwsr-s--x 1 root root 318612 Oct 14 22:44 /bin/somefile

Presumably a hacker (or cracker to be precise) would chgrp to root if root
was gained by some exploit.  Exiting and logging in as test_user (created
for the purpose), when I execute /bin/somefile and do whoami and id,
test_user is still controlling the shell with uid guid etc set to
test_user.  I've tried a number of variations on the above but to no
avail.  I *hate* the idea of not knowing how to do something that some
IRC #hack juvenile can!  I know I'm missing something awfully obvious
here or else I've got something new to crow about regarding Debian to my
linux-challenged (read RedHat and Slackware :) ) friends...

So, if anyone can point out my glaring mistake, I'd appreciate it 
- - given the sensitivity of this issue, perhaps a direct e-mail to me is
more appropriate?



- ---

Garry Myers                             
Molecular Genetics Unit                 
Menzies School of Health Research       Australia

Version: 2.6.3ia
Charset: ascii


TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
Trouble?  e-mail to [EMAIL PROTECTED] .

Reply via email to