Hello, On Sun, 4 Apr 1999 Harhalakis Stefanos wrote: >On Digital Unix 4.0E with the latest patch kit aplied, after a new >installation /var has g+w for group system. This problem seems to exist in other versions of Digital Unix, too. At least on Digital Unix 4.0c and 4.0d (Factory Installed Software, no patches applied, CDE in use) /var, which in my case is a link to /usr/var, has drwxrwxr-x 28 root system 512 Feb 11 12:58 /usr/var/ permissions. However, on Digital Unix 4.0b (Patch kit DUV40BAS00008- 19980821 applied, Software installed from CD, CDE in use) /usr/var has drwxr-xr-x 23 root system 512 Feb 11 1998 /usr/var/ permissions. >The whole thing is done while executing /sbin/rc3.d/S95xlogin and >only if CDE is selected. This does not seem to be the case for Digital Unix 4.0c and 4.0d. There is no chmod of /var in /sbin/rc3.d/S95xlogin. >Anyone that can crack any account with gid==system may exploit this >(not tested but there should be no problem with mv'ing /var/sbin, >/var/adm etc etc..). Or do the following: CDE's Xconfig file is a link from /var/dt/Xconfig to the actual config file. Moving /var/dt and creating your own /var/dt, you could replace the system Xconfig file with your own version which has the session manager specification Dtlogin*session: /usr/dt/bin/Xsession replaced with something more evil. Then just wait for root to log in on the console.... -- Jochen Bauer Institute for Theoretical Physics University of Stuttgart Germany PGP public key available from: http://www.theo2.physik.uni-stuttgart.de/jtb.html
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:41:34 PDT