Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Posting-Version: Notesfiles $Revision: 1.6.2.17 $; site uokvax.UUCP
Path: utzoo!watmath!clyde!burl!ulysses!mhuxr!ihnp4!inuxc!pur-ee!uiucdcs!uokvax!emks
From: emks@uokvax.UUCP
Newsgroups: net.unix-wizards
Subject: Re: Re: Findsuid source (Re: Security an
Message-ID: <6200049@uokvax.UUCP>
Date: Fri, 8-Feb-85 04:08:00 EST
Article-I.D.: uokvax.6200049
Posted: Fri Feb  8 04:08:00 1985
Date-Received: Mon, 11-Feb-85 07:19:14 EST
References: <327@lsuc.UUCP>
Lines: 32
Nf-ID: #R:lsuc:-32700:uokvax:6200049:000:1490
Nf-From: uokvax!emks    Feb  8 03:08:00 1985


/***** uokvax:net.unix-wizar / enmasse!mike /  8:04 pm  Feb  1, 1985 */
> Another problem with having a find-suid-programs program that runs based
> on crontab entries is that anyone can see when the find-suid-programs
> program is going to run next, and make their moves on that basis.
> 
> 		kurt

But what are they going to do about it.  I suppose that if they knew the
order in which file systems were traversed they might be able to move
their program to a safe area and back again when all clear but this seems
a little drastic.  Easier to just modify an existing suid-root program
(like su) to grant a specific user or password root access. 

CACM had an interesting article on this stuff a while back...
It amounted to this, once root has been comprimised just once,
the whole system is suspect unless everything is rebuilt from scratch,
from the distribution tape.
/* ---------- */

Your last paragraph is correct. From a more practical standpoint, though,
were I to find some loophole (like using sendmail to create suid-root
files containing binaries, etc.), I'd prefer to know at what time the
regular search for suid programs took place.  If I *knew* that the
find started at 4 a.m., I'd remove all traces before then.

That's all a hypothetical "what-if" thing, though.  You're far more correct
to say that once a system's been broken, it remains that way (from a
potential security violation standpoint) until a trustworthy person brings
in certified "clean" code.

		kurt