Hi,
i am sending you a message from BUGTRAQ. I hope you dont mind .. :)
This is about permitions during xlogin firing up cde ... have fun
---------- Forwarded message ----------
Date: Tue, 6 Apr 1999 10:47:26 +0200
From: Jochen Thomas Bauer <jtb_at_THEO2.PHYSIK.UNI-STUTTGART.DE>
To: BUGTRAQ_at_netspace.org
Subject: Re: Digital Unix 4.0E /var permission
Hello,
On Sun, 4 Apr 1999 Harhalakis Stefanos wrote:
>On Digital Unix 4.0E with the latest patch kit aplied, after a new
>installation /var has g+w for group system.
This problem seems to exist in other versions of Digital Unix, too.
At least on Digital Unix 4.0c and 4.0d (Factory Installed Software,
no patches applied, CDE in use) /var, which in my case is a link to
/usr/var, has
drwxrwxr-x 28 root system 512 Feb 11 12:58 /usr/var/
permissions. However, on Digital Unix 4.0b (Patch kit DUV40BAS00008-
19980821 applied, Software installed from CD, CDE in use) /usr/var
has
drwxr-xr-x 23 root system 512 Feb 11 1998 /usr/var/
permissions.
>The whole thing is done while executing /sbin/rc3.d/S95xlogin and
>only if CDE is selected.
This does not seem to be the case for Digital Unix 4.0c and 4.0d.
There is no chmod of /var in /sbin/rc3.d/S95xlogin.
>Anyone that can crack any account with gid==system may exploit this
>(not tested but there should be no problem with mv'ing /var/sbin,
>/var/adm etc etc..).
Or do the following:
CDE's Xconfig file is a link from /var/dt/Xconfig to the actual config
file. Moving /var/dt and creating your own /var/dt, you could replace
the system Xconfig file with your own version which has the session
manager specification
Dtlogin*session: /usr/dt/bin/Xsession
replaced with something more evil. Then just wait for root to
log in on the console....
--
Jochen Bauer
Institute for Theoretical Physics
University of Stuttgart
Germany
PGP public key available from:
http://www.theo2.physik.uni-stuttgart.de/jtb.html
Received on Tue Apr 06 1999 - 22:52:37 NZST