Hey If this has already been brought up, you have the right to stone me to death, But I havent seen it and ive searched, so here it is: I was fooling around today, and decided to rm /tmp/.X11-unix and then make a symbolic link from a file to /tmp/.X11-unix and then startx. So I backed up /etc/passwd and ln -s /etc/passwd /tmp/.X11-unix and then startx'd as normal user acount, But X wouldnt start, it complained and said "is not a directory" So, I made a symbolic link from /root to /tmp/.X11-unix, and startx'd as a normal user, and was suprised to have write access to /root. I was able to write new files to /root but was not able to overright or change files, i was able to make a "+ +" .rhosts though. I did this to /etc also, changed it from: drwxr-xr-x To: drwxrwxrwt with: telnetd ~$ ln -s /etc /tmp/.X11-unix telnetd ~$ startx I have tested this via a remote telnet sesion also, It works if you are able to startx and X isnt already running, I swung my chair around and got on my gateway, telneted to stinky, logged in as a normal user, ln -s /etc /tmp/.X11-unix, startx'd remotly, Saw the X startup crap, looked behind me and saw X starting on stinky, I turned to my gateway and stoped X, and had write access to /etc. wh00t@$#!$ The only real thing I can think of for this to be usefull is .rhosts in /root... later telnetdat_private
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:39:34 PDT