Re: Irix logs + su

From: pmwsat_private
Date: Mon Dec 21 1998 - 03:26:27 PST

Next message: Craig A. Huegen: "Re: your mail"

Previous message: Bas van der Vlies: "Re: Irix tape devices + logs + su"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Subject: Re: Irix tape devices + logs + su

hi,
i hope this is no grey bearded stuff ;)

On Dec 18,  6:05pm, Valdis.Kletnieksat_private wrote:
> Subject: Re: Irix tape devices + logs + su
> >  Also, /var/adm/SYSLOG contains the failed login names (even if they
> > don't exist) and by default, this file is forced to be mode 644
(root's
> > crontab will take care for this, when rotating the logs).
>
> This can be an issue.
>
there is a much more funny 'feature': if you add an user via
addUserAccount this action is logged in SYSLOG including the (crypted) password (seen on
a origin 2000). to me, this makes /etc/shadow rather useless. on my machines
i cannot reproduce this behavior. is there anybody who has seen this
before??

> >  Finaly, when using su, the user's .cshrc will be executed with
> > privileges of the target user (if the su is succesful). For example,
> > if user nobody has a cp /bin/sh /tmp; chmod 6755 /tmp/sh in his .cshrc
> > and he use su to become root, a rootshell will be available in /tmp :)
> > This is valid only for succesfull su's
>
> So?  They're root, and they could do that *anyhow*. No exposure here.
>
> Now, if the user can trick the sysadmin into su'ing and running the
> user's .cshrc *instead* of the sysadmin's, that's more interesting.
if yo read the su manpages it goes like:
...
     sh(1).  If the first argument to su is a -, the environment is
changed to
     what would be expected if the user actually logged in as the
specified
     user.  This is done by invoking the program used as the shell with an
     arg0 value whose first character is -, thus causing the system's
profile
     (/etc/profile) and then the specified user's profile (.profile in the
new
     HOME directory) to be executed.
...
and this works as expected: if you add the - option nothing evil happens.
otherwise you're lost ;) (at my machines at least...)
> >-- End of excerpt from Valdis.Kletnieksat_private

merry x-mas,
philipp
---
Sent through Global Message Exchange - http://www.gmx.net

Next message: Craig A. Huegen: "Re: your mail"
Previous message: Bas van der Vlies: "Re: Irix tape devices + logs + su"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:25:24 PDT