Re: [tlug] security dude....the puto story

[Shimpei Yamashita <shimpei@example.com>]

On Sat, Feb 23, 2002 at 04:38:51PM +0100,
Pietro Zuco wrote:
> 5. I thought that puto can change this situation so I became root with su 
> command. I typed chown root.root .bashrc
> 6. The .bashrc file has 644 atributes, list with ls -l and I confirm that the 
> .bashrc file now is of user root and group root
> 7. exit root so I'm puto again
> 8. edit the .bashrc file with vi
> 9. The vi alerts me that the file is read-only
> 10. I change the content of the file and put the mc line in comment
> 11. quit vi with wq! option, and it says "written!!"
> 12. list with ls -l 
> I surprise because the file .bashrc now is of puto again! the user and group 
> are puto and puto!

If /home/puto is writable by puto, puto can remove any file from that
directory, regardless of who owns it, and replace it with his own.
One way to prevent this is to: 

    chown root.puto /home/puto   # replace first "puto" with whatever his
                                 # default group is
    chmod 1775 /home/puto

The leading "1" in the permission means that, even if you have write
privileges to the directory, you are only allowed to delete files that
you own.  It's a setup usually used for /tmp.  This way puto can still
write whatever he wants into his home directory, but he cannot change
files that root installed for him.

Your second story appears to be the same.

-- 
Shimpei Yamashita                               http://www.shimpei.org/
You can't have everything. Where would you put it?    -- Steve Wright