[GLLUG] root access
Charles Williams
willcha@sme.org
Fri, 12 Apr 2002 14:57:59 -0400
This had been a situation earlier and your thread reminded me of it.
I went to try out some things you folks are questioning.
I tried this out as myself (willcha) and NOT as root.
1.) A directory I have ownership in (by way of my group). A file I don't
have permission for.
I can ftp the file to my hard drive.
I can delete this file from the Solaris Unix web server while I'm in ws_ftp.
I can then replace the file on the Solaris Unix server and it now has my
ownership.
2.) A directory I don't have ownership in. A file I don't have ownership
privileges for.
I can't copy the file to my hard drive.
Can't delete with ws_ftp.
Dennis (below) says it's "definitely the default" and if that's so then I
can cautiously say that such installations here are done by the defaults.
And pfaffben says it's "allowed" and not a security hole. Ok. I'll buy that.
There's lots of things that make me wonder and this was one of them.
Thanks for clearing this up.
--chuck williams
> -----Original Message-----
> Charles Williams <willcha@sme.org> writes:
>
> > We are on Solaris and some of our web team have found a way to "break
> in" to
> > root access with ws_ftp to upload files (usually html or gifs) from
> their
> > wintel pc. I know I've tried this out: with ws_ftp I can delete a file I
> > don't have privileges for. [...]
>
> Are you deleting a file that you don't own that is in a directory
> that you do own? That's allowed and not a security hole.
> --
> <blp@cs.stanford.edu> <pfaffben@msu.edu> <pfaffben@debian.org>
> <blp@gnu.org>
> Stanford Ph.D. Student - MSU Alumnus - Debian Maintainer - GNU Developer
> Personal webpage: http://www.msu.edu/~pfaffben
>
--------------------------
This problem is most likely related to misconfiguration... either with
the ftp server, user(s), file ownership/permissions, etc.
This is definately the default for any version of Solaris I have used
(2.5 - 8)
Dennis
______
> _______________________________________________
> linux-user mailing list
> linux-user@egr.msu.edu
> http://www.egr.msu.edu/mailman/listinfo/linux-user