Is there a fix for this??
login as joeuser on my QNX4 server
cp /bin/ksh /home/joeuser/oops
chmod 4755 /home/joeuser/oops
chown root:root /home/joeuser/oops
Nothing fails, and I now have root privileges by running “oops”
Thanks,
Bill
Hi Bill,
I get an error:
chown: Operation not permitted (chown /home/emuis/oops)
when preforming the chown operation (as expected). What version
did you use this on? I tested this on 4.25D. Was there another
step that I missed?
Erick.
William Peters <wgpeters@epix.net> wrote:
Is there a fix for this??
login as joeuser on my QNX4 server
cp /bin/ksh /home/joeuser/oops
chmod 4755 /home/joeuser/oops
chown root:root /home/joeuser/oopsNothing fails, and I now have root privileges by running “oops”
Thanks,
Bill
William Peters <wgpeters@epix.net> wrote:
Is there a fix for this??
login as joeuser on my QNX4 server
cp /bin/ksh /home/joeuser/oops
chmod 4755 /home/joeuser/oops
chown root:root /home/joeuser/oopsNothing fails, and I now have root privileges by running “oops”
Thanks,
Bill
has your chown util been set setuid to root ?
it should be owned by root, but not with rws perms.
ie. this doesn’t happen here. the chown fails (as expected) with EPERM
There is another thing that could do this. If the sticky bit is
set on chown and root is the owner then this command would work.
This would be a bad thing to have set… IMHO 
Erick.
Mike Taillon <miket@qnx.com> wrote:
William Peters <> wgpeters@epix.net> > wrote:
Is there a fix for this??
login as joeuser on my QNX4 server
cp /bin/ksh /home/joeuser/oops
chmod 4755 /home/joeuser/oops
chown root:root /home/joeuser/oopsNothing fails, and I now have root privileges by running “oops”
Thanks,
Bill
has your chown util been set setuid to root ?
it should be owned by root, but not with rws perms.ie. this doesn’t happen here. the chown fails (as expected) with EPERM
Drat, sorry, Mike said the same thing below.
Erick Muis <emuis@qnx.com> wrote:
There is another thing that could do this. If the sticky bit is
set on chown and root is the owner then this command would work.
This would be a bad thing to have set… IMHO >Erick.
Mike Taillon <> miket@qnx.com> > wrote:
William Peters <> wgpeters@epix.net> > wrote:Is there a fix for this??
login as joeuser on my QNX4 server
cp /bin/ksh /home/joeuser/oops
chmod 4755 /home/joeuser/oops
chown root:root /home/joeuser/oopsNothing fails, and I now have root privileges by running “oops”
Thanks,
Bill
has your chown util been set setuid to root ?
it should be owned by root, but not with rws perms.ie. this doesn’t happen here. the chown fails (as expected) with EPERM
Ok,
I found the hole… My directories are mirrored with DiskShadow…
If I try this exercise on a non-mirrored directory, it fails as it should.
So, the security hole is with DiskShadow, and not QNX.
Thanks guys,
Bill
“William Peters” <wgpeters@epix.net> wrote in message
news:8sf7n0$4pv$1@inn.qnx.com…
Is there a fix for this??
login as joeuser on my QNX4 server
cp /bin/ksh /home/joeuser/oops
chmod 4755 /home/joeuser/oops
chown root:root /home/joeuser/oops
Nothing fails, and I now have root privileges by running “oops”
Thanks,
Bill
If you can provide me with a license number, I will have this matter
looked into.
Geoff Roberts
Realtime Technology Systems Pty Ltd
2 Hadleigh Circuit
Isabella PLains
ACT 2905
AUSTRALIA.
email: ger@rtts.com.au
Worldwide Distributor of DiskShadow.
William Peters wrote:
Ok,
I found the hole… My directories are mirrored with DiskShadow…
If I try this exercise on a non-mirrored directory, it fails as it should.
So, the security hole is with DiskShadow, and not QNX.Thanks guys,
Bill“William Peters” <> wgpeters@epix.net> > wrote in message
news:8sf7n0$4pv$> 1@inn.qnx.com> …Is there a fix for this??
login as joeuser on my QNX4 server
cp /bin/ksh /home/joeuser/oops
chmod 4755 /home/joeuser/oops
chown root:root /home/joeuser/oopsNothing fails, and I now have root privileges by running “oops”
Thanks,
Bill