hacking security forum

Re: [Full-Disclosure] Partial Solution to SUID Problems

From: Brian Hatch <bri@ifokr.org>
Date: Sun Dec 07 2003 - 09:54:38 CST

> > On a server that you have shell access, you probably really need to add
> > 'passwd' to the 'suid partitiion'. You may need some other things,
> > on some of our servers, I have 'ping' as well.
>
> it's not really necessary to have passwd setuid.
> you just can write a passwd server process and the passwd(8)
> just talks to this server via unix domain sockets.
...

Or you can use tcb, which is default in Owl, where the
shadowed password entries are not all in the same file, but
rather in user-specific subdirectories. passwd is sgid
to get access to the tcb dir, and the shadow entry is writable
by the user directly, and only contain's that user's entry.

More info at http://www.openwall.com/tcb/

 

--
Brian Hatch                  Thou shalt not pray
   Systems and                to Zeus for things
   Security Engineer          your usual god would
http://www.ifokr.org/bri/     laugh at.
Every message PGP signed

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  • application/pgp-signature attachment: stored
Received on Sun Dec 07 10:05:36 2003

This archive was generated by hypermail 2.1.8 : Sun Dec 07 2003 - 11:01:00 CST

Custom Search