[clue-tech] File permission anomalies under FC3
Joe 'Zonker' Brockmeier
xonker at gmail.com
Tue Jun 14 08:58:28 MDT 2005
bof wrote:
> Hello,
>
> I've just installed Krud FC3 and in examining it, I've found a large
> number of files that strike me as security holes: some are
> world-writable, some have numbers for owner/groups and some have SUID
> bits set. For example:
>
> world-writable files
> -rw-rw-r-- 1 20 0 Oct 19 2004 /var/lib/games/gnotski.1.scores
> -rw-rw-r-- 1 20 0 Oct 19 2004 /var/lib/games/gnibbles.4.1.scores
> -rw-rw-r-- 1 20 0 Oct 19 2004
> /var/lib/games/gnobots2.robots2_easy-super-safe.scores
World writable? rw-rw-r is "readable & writeable by user, group,
readable by everyone."
It looks like your SUID files are actually SGID - the sticky bit is set
for the group owner, not the user. Whether that's safe or not, I don't
think that it's ever 100 percent safe... there may be a reason that
ssh-agent needs to have the sticky bit set.
Best,
Zonker
--
Joe 'Zonker' Brockmeier <xonker at gmail.com>
"Liberty's too precious a thing to be buried in books... Men
should hold it up in front of them every single day of their lives
and say: I'm free to think and to speak. My ancestors couldn't, I
can, and my children will. Boys ought to grow up remembering that."
"Mr. Smith Goes to Washington" -- James Stewart
More information about the clue-tech
mailing list