Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Posting-Version: Notesfiles $Revision: 1.6.2.17 $; site uokvax.UUCP Path: utzoo!watmath!clyde!burl!ulysses!mhuxr!ihnp4!inuxc!pur-ee!uiucdcs!uokvax!emks From: emks@uokvax.UUCP Newsgroups: net.unix-wizards Subject: Re: Re: Findsuid source (Re: Security an Message-ID: <6200049@uokvax.UUCP> Date: Fri, 8-Feb-85 04:08:00 EST Article-I.D.: uokvax.6200049 Posted: Fri Feb 8 04:08:00 1985 Date-Received: Mon, 11-Feb-85 07:19:14 EST References: <327@lsuc.UUCP> Lines: 32 Nf-ID: #R:lsuc:-32700:uokvax:6200049:000:1490 Nf-From: uokvax!emks Feb 8 03:08:00 1985 /***** uokvax:net.unix-wizar / enmasse!mike / 8:04 pm Feb 1, 1985 */ > Another problem with having a find-suid-programs program that runs based > on crontab entries is that anyone can see when the find-suid-programs > program is going to run next, and make their moves on that basis. > > kurt But what are they going to do about it. I suppose that if they knew the order in which file systems were traversed they might be able to move their program to a safe area and back again when all clear but this seems a little drastic. Easier to just modify an existing suid-root program (like su) to grant a specific user or password root access. CACM had an interesting article on this stuff a while back... It amounted to this, once root has been comprimised just once, the whole system is suspect unless everything is rebuilt from scratch, from the distribution tape. /* ---------- */ Your last paragraph is correct. From a more practical standpoint, though, were I to find some loophole (like using sendmail to create suid-root files containing binaries, etc.), I'd prefer to know at what time the regular search for suid programs took place. If I *knew* that the find started at 4 a.m., I'd remove all traces before then. That's all a hypothetical "what-if" thing, though. You're far more correct to say that once a system's been broken, it remains that way (from a potential security violation standpoint) until a trustworthy person brings in certified "clean" code. kurt