Another Huge Security Hole!

Another Huge Security Hole!

Post by Uri Blumenth » Thu, 26 May 1994 05:08:28



Hi,
        It's Linux-1.1.14. The problem is: when you
        log in as <whoever>, it still gives you UID
        [you guessed it :-] 0.  I.e. to become root
        on Linux-1.1.14,  you just have to login to
        the box...

        Linux-1.1.13 doesn't exhibit such bad behavior.

        No fix yet, as I didn't figure out the cause.
        One thing seems certain - it has nothing to
        to with getty/login/whatever program...The
        new (1.1.14) kernel has your UID==0 always,
        1.1.13 seems to be correct.

        Regards,
        Uri.
------------
<Disclaimer>

 
 
 

Another Huge Security Hole!

Post by Michael Pe » Thu, 26 May 1994 23:11:14


: Hi,
:       It's Linux-1.1.14. The problem is: when you
:       log in as <whoever>, it still gives you UID
:       [you guessed it :-] 0.  I.e. to become root
:       on Linux-1.1.14,  you just have to login to
:       the box...

:       Linux-1.1.13 doesn't exhibit such bad behavior.

:       No fix yet, as I didn't figure out the cause.
:       One thing seems certain - it has nothing to
:       to with getty/login/whatever program...The
:       new (1.1.14) kernel has your UID==0 always,
:       1.1.13 seems to be correct.

:       Regards,
:       Uri.
: ------------
: <Disclaimer>

 
 
 

Another Huge Security Hole!

Post by Erik Ols » Thu, 26 May 1994 11:12:37



>Hi,
>    It's Linux-1.1.14. The problem is: when you
>    log in as <whoever>, it still gives you UID
>    [you guessed it :-] 0.  I.e. to become root
>    on Linux-1.1.14,  you just have to login to
>    the box...

This would appear to be an effect of not doing a "make mrproper" after
upgrading from 1.1.13 to 1.1.14.

   - Erik
--
---


 
 
 

Another Huge Security Hole!

Post by Rob Janss » Thu, 26 May 1994 17:08:45



Quote:>Hi,
>    It's Linux-1.1.14. The problem is: when you
>    log in as <whoever>, it still gives you UID
>    [you guessed it :-] 0.  I.e. to become root
>    on Linux-1.1.14,  you just have to login to
>    the box...
>    Linux-1.1.13 doesn't exhibit such bad behavior.
>    No fix yet, as I didn't figure out the cause.
>    One thing seems certain - it has nothing to
>    to with getty/login/whatever program...The
>    new (1.1.14) kernel has your UID==0 always,
>    1.1.13 seems to be correct.

Not on my system...  Maybe you did install one of the not-so-correct
attempts at fixing the security bug?

Rob
--
-------------------------------------------------------------------------


-------------------------------------------------------------------------

 
 
 

Another Huge Security Hole!

Post by lcvanv.. » Thu, 26 May 1994 17:45:21



> Hi,
>    It's Linux-1.1.14. The problem is: when you
>    log in as <whoever>, it still gives you UID
>    [you guessed it :-] 0.  I.e. to become root
>    on Linux-1.1.14,  you just have to login to
>    the box...

>    Linux-1.1.13 doesn't exhibit such bad behavior.

>    No fix yet, as I didn't figure out the cause.
>    One thing seems certain - it has nothing to
>    to with getty/login/whatever program...The
>    new (1.1.14) kernel has your UID==0 always,
>    1.1.13 seems to be correct.

>    Regards,
>    Uri.
> ------------
> <Disclaimer>

After a first rush of slight panic after reading your mail,
I quickly booted-up linux 1.1.14 and logged in as myself.
My UID is still at 406, so on my machines nothing goes wrong.
I got my 1.1.13 from ftp.helsinki.fi because for some strange
reason my own 1.1.12 woulnd't patch into 1.1.13. Maybe you
also have something like that on your system, only it still
compiles. Although it does sound strange to me that this really
could be the case.
Goodluck,
Martijn.
 
 
 

Another Huge Security Hole!

Post by Stefan Rodenste » Thu, 26 May 1994 20:36:31


: Hi,
:       It's Linux-1.1.14. The problem is: when you
:       log in as <whoever>, it still gives you UID
:       [you guessed it :-] 0.  I.e. to become root
:       on Linux-1.1.14,  you just have to login to
:       the box...

Strange... my Linux-1.1.14 works correctly.. the users get the right IDs...
are you sure it's the kernel?
ciao
        Stefan

--



Entropy isn't what it used to be.

 
 
 

Another Huge Security Hole!

Post by Gauger Maximili » Fri, 03 Jun 1994 00:24:49




> : Hi,
> :  It's Linux-1.1.14. The problem is: when you
> :  log in as <whoever>, it still gives you UID
> :  [you guessed it :-] 0.  I.e. to become root
> :  on Linux-1.1.14,  you just have to login to
> :  the box...

Are you 100% sure you have your /etc/passwd and /etc/groups set correctly?
Look it up again, tjough it may sound trivial.

Max