Hi,
Please excuse my ignorance! We are trying to use Digitals locker_admin
system. It installs a menu system for the users that is started from
".profile". We changed the owner of this file to root, to prevent users
from removing this and getting a regular shell. "NO GO!".
The total sum of what I got from the list was, "this is normal"!!!! and my
answer is "for what??". Here is a good security question. If a file is
owned by "ROOT" , why does anyone have the write to remove the file at all?
If someone manages to change the ownership of "/etc" through some other
security bug, he/she can destroy your system!!!!
You will find my original question below.
Thanks to all for the info. Don't get me wrong, I'm not mad at you guys.
This list is the best in the world.
Scott Johnson
scott_at_dsuper.net
P.S. we will have to create a new shell that is a menu to prevent this in
the future.
> Hi ALL,
>
> I the last couple of days I have been working on closing all security
> holes that exist on our system. We have found a problem with the "RM"
> command. We have found that users can remove files owned by root from
there
> personal directories. The user simply answer "yes" to the override the
> "700" rights to the file.
>
> We have a DEC 1000 running DEC Unix 4.0b. If any one has a fix please
> email me, this is urgent.
Received on Sat Apr 12 1997 - 03:12:27 NZST