Okay, let's try that again. On Mon, 10 Nov 2003 06:16:18 -0800, Norbert Kamenicky muttered: > User is running commands under it's (effective) id. Correct ? > Password is stored in /etc/shadow, > (which has not rw permissions for users ... try cat /etc/shadow). > > Now, I have a question to you: > How is it possible, users can change their password ? > > The right answer is: > Due to set uid/gid mechanism. > ( run ls -l /bin/passwd)
Right, /bin/passwd *is* suid and can write to the passwd file. > So, is it a problem on your linux (where you are root) > to copy some program (e.g. /bin/cat, but the best your own > statically linked prog to new directory, > and set uid flag on it? No ! (man chmod, if yes) Yes, it is. Setting the suid flag on a file makes it run as the owner of the file, which will not be root unless root created the file and set the suid flag. Linux doesn't allow the giving away of files (user chowning files to another user), but even so, a user writing to or changing flags on a suid file not owned by them will clear the suid flag. > Now just make an iso image with Rock Ridge extension > from that directory and copy (man scp) it to the system > you like to crack ... > > If you can "mount just anything" (without restrictions, > which are setable in /etc/fstab), mount it and ride > your Trojan horse like this: > > path_to_your_mount_dir/cat /etc/shadow The 'user' flag to mount will clear the suid file on a mounted file system. And it'd obviously be a Bad Idea to allow users to mount disks as root! However, most systems have fstab entries for the floppy and CD drives which use the user flag to mount. If physical disks are OK, then what's wrong with disk images? > Is it clear now ? If not, try it ... > but on your own risk, I am not responsible for any damage! It doesn't work, for reasons I've outlined above. Unless you've somehow managed to get root to set some flags for you, in which case the system is as good as compromised anyway. -- Andrew Farmer [EMAIL PROTECTED]
pgp00000.pgp
Description: PGP signature
