Assume that the executable is in /home/foo/bar/boof and I have write
permissions on /home/foo (either group or world).
I can rename foo (eg, mv /home/foo /home/.foo) and create a new foo
directory that I own and a /home/foo/bar directory, too.
Now I can selectively copy the items from bar on down back in to my new
directory, changing those items that need it and setting
permissions/owner/group as needed to fool you into thinking that nothing’s
wrong.
That’s why a group writable home directory is bad. I can go in and create a
.rhosts file that allows me to become you, and get you in trouble.
Mike
···
-----Original Message-----
From: bbense+comp.lang.ruby.Sep.11.02@telemark.stanford.edu
-
- To be honest I don’t quite understand the specific mechanisms by which a
group
writeable directory anywhere in the tree can be abused, but all the really
paranoid software I know of takes this precaution.
In article 667ED598F8A2D311981D00508B1223800E6C7168@emss02m04.ems.lmco.com,
Assume that the executable is in /home/foo/bar/boof and I have write
permissions on /home/foo (either group or world).
I can rename foo (eg, mv /home/foo /home/.foo) and create a new foo
directory that I own and a /home/foo/bar directory, too.
Now I can selectively copy the items from bar on down back in to my new
directory, changing those items that need it and setting
permissions/owner/group as needed to fool you into thinking that nothing’s
wrong.
-
- Are there unix OS’s that still allow a regular user to chown
files?
That’s why a group writable home directory is bad. I can go in and create a
.rhosts file that allows me to become you, and get you in trouble.
-
- Yes, if your home dir is group writeable you have a lot more
problems than trojan ruby-inline files… But if say /home
was group writeable, and I check ownership of the files I don’t
see how there is an attack unless the OS allows ordinary users
to chown files. I know this was possible in older unix
versions, but I don’t know of any current unix OS’s that allow
this. I guess I should read what POSIX has to say about the
matter.
-
···
Henderson, Michael D michael.d.henderson@lmco.com wrote:
I shouldn’t worry too much about chown. If a directory is group
writeable and I’m in that group, I can delete everything in that
directory and replace it with whatever I like. I think that’s the
important problem that certain programs check for.
Tom.
···
- bbense+comp.lang.ruby.Sep.12.02@telemark.stanford.edu (bbense+comp.lang.ruby.Sep.12.02@telemark.stanford.edu) wrote:
That’s why a group writable home directory is bad. I can go in and create a
.rhosts file that allows me to become you, and get you in trouble.
- Yes, if your home dir is group writeable you have a lot more
problems than trojan ruby-inline files… But if say /home
was group writeable, and I check ownership of the files I don’t
see how there is an attack unless the OS allows ordinary users
to chown files. I know this was possible in older unix
versions, but I don’t know of any current unix OS’s that allow
this. I guess I should read what POSIX has to say about the
matter.
–
.^. .-------------------------------------------------------.
/V\ | Tom Gilbert, London, England | http://linuxbrit.co.uk |
/( )\ | Open Source/UNIX consultant | tom@linuxbrit.co.uk |
^^-^^ `-------------------------------------------------------’