Quoting Kyle Amon (amonkat_private): > On AIX, named-xfer has the following permissions... > > -r-sr-xr-- 1 root system 32578 Feb 18 1997 /usr/sbin/named-xfer > > which of course means that only root and members of the system group have > execute permission but that (since the SUID bit is set) it executes as > root even when run by non-root members of the system group. So, although > one would have to already be a member of the system group (or manage to > obtain such status) in order to exploit the problem described here, it's > still a rather significant problem. And its much worse than the old > sendmail -C problem which was still exploitable in AIX up until very > recently when one was a member of the system group. The big difference > here being that sendmail -C only let one read files they shouldn't have > been able to read whereas this problem lets one write them :-). AIX administrative groups (such as system) should only be assigned to users that are trusted to perform duties that ordinarily would require the root password. To put it another way, if you need to use named-xfer to get root from the system group, your cracker license is getting stale. > The problem is that named-xfer writes it's resulting zone file (when using > the -f option) without (or at least before) relinquishing it's root > privilege (and I doubt it ever relinquishes it since it doesn't really > need it in the first place). Nevertheless, this certainly isn't expected behavior. I've opened defect 287556 to fix this in the next release. -- Troy Bollinger troyat_private AIX Security Development security-alertat_private PGP keyid: 1024/0xB7783129 Troy's opinions are not IBM policy
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:05:35 PDT