From: Digestifier To: Linux-Admin@senator-bedfellow.mit.edu Reply-To: Linux-Admin@senator-bedfellow.mit.edu Date: Thu, 23 Sep 93 02:13:20 EDT Subject: Linux-Admin Digest #71 Linux-Admin Digest #71, Volume #1 Thu, 23 Sep 93 02:13:20 EDT Contents: Re: [Summary] /etc/shutdown by non-root (Jon Hamilton) Re: [Not] enough SLS bashing (Ed H. Chi) [Q] How to make modem hangup (David Liebert) Re: Memory LEAKING!*=--.._ (Stephen Harris) Re: 3.5 boot floppies. Not really Re: [Not] enough SLS bashing anymore (Ed H. Chi) Re: [Summary] /etc/shutdown by non-root (Sten Drescher) Re: [Q] How to make modem hangup (Frank Lofaro) Re: [Summary] /etc/shutdown by non-root (James Chacon) Re: [Summary] /etc/shutdown by non-root (David Wright) Re: [Summary] /etc/shutdown by non-root (Larry Doolittle) Re: TeX from SLS (Eberhard Moenkeberg) help for X of linux Re: [Summary] /etc/shutdown by non-root (Kenneth H. Simpson) Slackware series installation (Kenton.Sinner) ---------------------------------------------------------------------------- Crossposted-To: comp.unix.admin From: jdh@iastate.edu (Jon Hamilton) Subject: Re: [Summary] /etc/shutdown by non-root Date: Wed, 22 Sep 1993 17:38:53 GMT In article <27pjmeINNlqf@rs18.hrz.th-darmstadt.de> josch@pc.chemie.th-darmstadt.de (Joachim Schnitter) writes: >Valdis Kletnieks (valdis@black-ice.cc.vt.edu) wrote: >: In article <27d35q$bol@agate.berkeley.edu> boss@soda.berkeley.edu (Brion Moss) writes: >: >(The script was then setuid root, of course). This seemed to work pretty >: >well. > >: A set-UID root shell script is equivalent to giving every user on >: the system unrestricted root access. > >: I suggest you find a way to do it without set-UID shell scripts. > >: Valdis Kletnieks >: Computer Systems Engineer >: Virginia Tech > >Sorry to say that this seems to be real nonsense. A script is simply fed >into a shell or another interpreter. It is the shell's permissions which >counts - not the script's. > >Try it out and you will see that you cannot give someone root permissions >with a setuid root script as long as you do not make the shell run setuid >root (The latter is equivalent to "rm -rf /" as root :-). The shell inherits the euid of the caller, in this case the script. When running a setuid root script, the shell *does* run suid root. Kinda. Last I heard Linux ignored the suid bit on shell scrips. Maybe it still does. > >-Joachim >-- >______________________________________________________________________ >Joachim Schnitter Tel.: +49 (61 51) 16-53 97 >Technische Hochschule Darmstadt Fax : +49 (61 51) 16-42 98 >Physikalische Chemie I >Petersenstr. 20 >64287 Darmstadt >Germany E-Mail: josch@pc.chemie.th-darmstadt.de > > -- ==================================================================== = Jon Hamilton | "I guess irony can be pretty ironic sometimes" = = jdh@iastate.edu | -- Airplane = ==================================================================== ------------------------------ From: ehhchi@maroon.tc.umn.edu (Ed H. Chi) Subject: Re: [Not] enough SLS bashing Date: Wed, 22 Sep 1993 18:51:10 GMT hear, hear!! -- o/ \ / \ / / \o email: ehhchi@staff.tc.umn.edu /# ##o # o## #\ / \ / \ /o\ / |\ / \ ------------------------------ From: david@omphalos.equinox.gen.nz (David Liebert) Subject: [Q] How to make modem hangup Date: Tue, 21 Sep 1993 22:25:07 GMT I have serial dial-in/out set up fine with one small problem: after someone logs out on the serial port, the modem doesn't hang up. This same problem is also reflected with uucp: if uucico exits with a failed chat sequence I'm left connected to my uucp host. PLEASE DON'T TELL ME TO SET -CLOCAL & HUP - no amount of fiddling with these settings does any good. Similarly, if I run this script with "> /dev/cua2 < /dev/cua2": #!/bin/sh stty -clocal echo -ne "ath1\r" sleep 5 stty 0 I'm left with the phone "off the hook". Is my modem faulty/primative/wired-incorrectly? ------------------------------ From: harris@teaching.physics.ox.ac.uk (Stephen Harris) Subject: Re: Memory LEAKING!*=--.._ Date: 22 Sep 93 19:42:04 BST Stephen Tweedie (sct@dcs.ed.ac.uk) wrote: : In article <1993Sep19.204800.10264@inca.comlab.ox.ac.uk>, harris@teaching.physics.ox.ac.uk (Stephen Harris) writes: : > programs, the buffer needs to shrink, and this can lead to a pause as : > parts of it are written back to disk. This is one case where a hardware : This slightly misses the mark. Normally, the buffer-cache shrinking : does not require any buffers to be written out, since every 30 seconds : or so, all dirty buffers are automatically written out anyway. This Yeah. I did say "can" :-) Actually I mainly observed this "wait a while" behaviour when I was moving a few Mb files between disks (hdb1 and hda3) as I was tidying the system. The update daemon causing a sync every 30 seconds wasn't too bad because the 0.5Mb hardware cache managed to keep up with most updates. ( and for the guy who reckons I only have a 486dx-33 ....wrong! real live dx2-66 (Gateway 2000) - I pulled the lid of before I even turned the machine on :-)) -- Stephen Harris harris@teaching.physics.ox.ac.uk Opinions are just opinions, and the facts are the facts. But what are what? ------------------------------ From: ehhchi@maroon.tc.umn.edu (Ed H. Chi) Subject: Re: 3.5 boot floppies. Not really Re: [Not] enough SLS bashing anymore Date: Wed, 22 Sep 1993 18:47:47 GMT In article dvs@ze8.rz.uni-duesseldorf.de (Wolfgang R. Mueller) writes: >In article jhenders@jonh.wimsey.bc.ca (John Henders) writes: >> However, as a constructive (hopefully) suggestion, has anyone >>considered that if someone has a 5 1/2 boot drive, installing lilo on it >>could cause linux to load from the 3 1/2 drive? > >What about bootb.zip ? ( from ancient SLS times yet available at >clio.rz.uni-duesseldorf.de:[/rz/ftp/]linux/sls102 ) >Or is that no longer usable because of the double ramdisk copyings (the >second one after the kernel configuration messages and so presumably not by >bios calls) ? >Wolfgang R. Mueller , >Computing Centre, Heinrich-Heine-University, Duesseldorf, Germany. yes, bootb still works. So, are you thinking the same thing I am?? What's all this fuss about making 5 1/4 boot disks?? Just use bootb, and you won't ever have to make two seperate boot disk mediums. -- o/ \ / \ / / \o email: ehhchi@staff.tc.umn.edu /# ##o # o## #\ / \ / \ /o\ / |\ / \ ------------------------------ Crossposted-To: comp.unix.admin Subject: Re: [Summary] /etc/shutdown by non-root From: smd@floyd.brooks.af.mil (Sten Drescher) Date: 22 Sep 93 14:23:58 On 22 Sep 1993 13:24:30 GMT, josch@pc.chemie.th-darmstadt.de (Joachim Schnitter) said: Joachim> : >(The script was then setuid root, of course). This seemed Joachim> : > to work pretty well. Joachim> : A set-UID root shell script is equivalent to giving every user on Joachim> : the system unrestricted root access. Joachim> : I suggest you find a way to do it without set-UID shell scripts. Joachim> Sorry to say that this seems to be real nonsense. A script is Joachim> simply fed into a shell or another interpreter. It is the Joachim> shell's permissions which counts - not the script's. Joachim> Try it out and you will see that you cannot give someone root Joachim> permissions with a setuid root script as long as you do not Joachim> make the shell run setuid root (The latter is equivalent to "rm Joachim> -rf /" as root :-). This is on SunOS 4.1.2: Animal(ttyp1):smd> su Password: Animal# vi suidroot Animal# cat suidroot #!/bin/sh echo Hah! You\'re not root! Animal# chmod a+x,u+s suidroot Animal# ls -l suidroot -rwsr-xr-x 1 root 11 Sep 22 13:52 suidroot Animal# ls -l /bin/sh -rwxr-xr-x 1 root 106496 Oct 23 1991 /bin/sh Animal# exit Animal# Animal(ttyp1):smd> suidroot Hah! You're not root! Animal(ttyp1):smd> -i -i: Command not found. Animal(ttyp1):smd> ln suidroot ./-i Animal(ttyp1):smd> ls -l ./-i lrwxrwxrwx 1 smd rides 8 Sep 22 14:14 ./-i -> suidroot* Animal(ttyp1):smd> ./-i Hah! You're not root! Animal(ttyp1):smd> -i # whoami root # Does this convince you that a suid root script, with any name, can be used to become root, even if the shell that executes it is not suid root? -- Sten Drescher smd@floyd.brooks.af.mil #include vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv An email reply to this USENET article gives me permission to quote any or all of it in a future USENET article. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ------------------------------ From: ftlofaro@unlv.edu (Frank Lofaro) Subject: Re: [Q] How to make modem hangup Date: Wed, 22 Sep 93 20:08:55 GMT In article <1993Sep21.222507.5363@omphalos.equinox.gen.nz> david@omphalos.equinox.gen.nz (David Liebert) writes: >I have serial dial-in/out set up fine with one small problem: after >someone logs out on the serial port, the modem doesn't hang up. > >This same problem is also reflected with uucp: if uucico exits with >a failed chat sequence I'm left connected to my uucp host. > >PLEASE DON'T TELL ME TO SET -CLOCAL & HUP - no amount of fiddling >with these settings does any good. > >Similarly, if I run this script with "> /dev/cua2 < /dev/cua2": > >#!/bin/sh >stty -clocal >echo -ne "ath1\r" >sleep 5 >stty 0 > >I'm left with the phone "off the hook". > >Is my modem faulty/primative/wired-incorrectly? > > Make sure that both the modem is configured to hangup on DTR drop. Maybe AT&D2 or AT&D3 does it on your modem. You then make sure stty hupcl is set, and things should work. The modem does need to be set for hangup on DTR loss in order for things to work the way you want. Either try the above AT commands (or check your manual for the ones for your modem), or flip the appropriate DIP switch. Unless your modem doesn't support hangup on DTR drop, in which case you can't do much... ------------------------------ From: jmc@pawnee.telecom.ksu.edu (James Chacon) Crossposted-To: comp.unix.admin Subject: Re: [Summary] /etc/shutdown by non-root Date: 22 Sep 1993 15:29:56 -0500 josch@pc.chemie.th-darmstadt.de (Joachim Schnitter) writes: >Valdis Kletnieks (valdis@black-ice.cc.vt.edu) wrote: >: In article <27d35q$bol@agate.berkeley.edu> boss@soda.berkeley.edu (Brion Moss) writes: >: >(The script was then setuid root, of course). This seemed to work pretty >: >well. >: A set-UID root shell script is equivalent to giving every user on >: the system unrestricted root access. >: I suggest you find a way to do it without set-UID shell scripts. >: Valdis Kletnieks >: Computer Systems Engineer >: Virginia Tech >Sorry to say that this seems to be real nonsense. A script is simply fed >into a shell or another interpreter. It is the shell's permissions which >counts - not the script's. >Try it out and you will see that you cannot give someone root permissions >with a setuid root script as long as you do not make the shell run setuid >root (The latter is equivalent to "rm -rf /" as root :-). Please get some information about this sort of situation before attempting to spout off "fact". As a matter of given fact setuid root shell scripts are a major sceurity hole and can be used to gain root access in matter of seconds for someone who knows what they are doing. A setuid shell script runs setuid, so does the shell that interprets it. It can be spoofed very very easily. James -- jmc@telecom.ksu.edu James Chacon Kansas State University DID: (913) 532-4560 Telecommunications Fax: (913) 532-7114 Manhattan KS 66506 ------------------------------ From: dmw@prism1.prism1.com (David Wright) Crossposted-To: comp.unix.admin Subject: Re: [Summary] /etc/shutdown by non-root Date: 22 Sep 93 18:27:11 GMT =====BEGIN PGP SIGNED MESSAGE===== >>>>> "JS" == Joachim Schnitter writes: JS> Sorry to say that this seems to be real nonsense. A script is simply fed JS> into a shell or another interpreter. It is the shell's permissions which JS> counts - not the script's. No, sorry to say, but what YOU are saying is not exactly true. SUID shell scripts are so insecure, and require so much attention to keep them secure that many shells are compiled to IGNORE the SUID bits on the shell scripts. But this is a function of the SHELL, not the script itself, and you can not count on this behavior. For example, on SCO Unix, SCO Xenix 286, SCO Xenix 386, most likely any SYSV R3 system, the "sh" interpreter does NOT ignore the SUID bits on shell scripts, and WILL INDEED execute the commands inside the script as if you were root. However, their *KSH* shell *does* ignore the SUID bits, which I found out when our Unix software stopped working. We were not explicitly exec'ing things with "/bin/sh", and so it was using the default shell of "/bin/ksh", which reverted the owner back to their RUID instead of leaving the EUID alone. The "ksh" I had under SCO Xenix did not do this. See the Perl install files for comments on SUID shell scripts.... Dave =====BEGIN PGP SIGNATURE===== Version: 2.3a iQCVAgUBLKCYgW++A+T9du0zAQGwHQQAz+R2ApHnlZ5NgnogtFZ6wfsuCi1vI9C/ NKxYdUVuSoN8Pwiz9ZgTn6wN6DfX7SMA+uNUZYqEhDjlbwBBrjDvNtKlolSwMDE2 JnCEcifozUl62KCSsyDqc0Gn6bsSvJFLODUHSenNAUkZIZMF9yEtyVsCbuYMdwMh 6SbRGPp2ClY= =aFz/ =====END PGP SIGNATURE===== -- ____________________________________________________________________________ | /\ / | Prism Computer Applications | David Wright | | -/--\-- | 14650 Detroit Ave, Suite LL40 | dmw@Prism1.COM | | /____\ | Lakewood, OH 44107 USA | 216-228-1400 | ------------------------------ Crossposted-To: comp.unix.admin From: doolitt@cebaf4.cebaf.gov (Larry Doolittle) Subject: Re: [Summary] /etc/shutdown by non-root Reply-To: doolitt@cebaf4.cebaf.gov (Larry Doolittle) Date: Wed, 22 Sep 1993 17:41:08 GMT In article <9326523.23936@mulga.cs.mu.OZ.AU>, fjh@munta.cs.mu.OZ.AU (Fergus James HENDERSON) writes: > > I do have a patch to Linux which provides _secure_ setuid shell scripts, > so long as there aren't any security problems with the shell itself. > Linux's standard shell (bash) has only one security problem ($ENV) > for which I also have a patch. If you install both of these patches, > then you can have completely secure setuid shell scripts. > (Of course, as with any setuid program, you still need to be careful!) Has anybody tried to make a setuid PERL script to handle floppy mounts and dismounts? I have read the docs for PERL, and done some simple string handling with it. The PERL docs suggest it has the required level of security, but it also seems a little lacking in sys-admin functionality. - Larry Doolittle doolittle@cebaf.gov ------------------------------ Date: Wed, 22 Sep 93 01:57:04 +0100 From: Eberhard_Moenkeberg@p27.rollo.central.de (Eberhard Moenkeberg) Subject: Re: TeX from SLS Hello Peter and all others, on 18.09.93 Peter Berger wrote to All in USENET.COMP.OS.LINUX.ADMIN: PB> the TeX-Disks from SLS seem to be screwed up. "seemed", my friend... Thomas Dunbar has fixed it a long time ago. :-) PB> In the archive texbin.tgz (on T1) is a file /usr/Tex/lib/tex/inputs which PB> really shouldn't be in there. It prevents two or three following archives PB> to install correctly 'cause in them there are files which should be PB> extracted to /usr/TeX/lib/tex/ inputs/* (a directory). PB> PB> I solved this just by NOT-installing the archive texbin during "normal" PB> installation of the T-series That is not "solving"... Why did'nt you just rename that file .../inputs to plain.tex, create a directory instead, moved it into it and tried to install again? :-) PB> grep for pkgtool in the setup script to get an idea how to use Or have a look into README_ChangeLog. Greetings ... Eberhard ------------------------------ From: ghhwang@pllab1 () Subject: help for X of linux Date: 23 Sep 1993 00:52:09 GMT Dear friends, I have installed the SLS1.03 yesterday. However, there are some problems. (1) I cannot use "df" (2) While I run X, the following message appeared: >PEXExtensionInit : Couldn't open default PEX FONT ffile Roman_M Please help me! ghhwang@cs.nthu.edu.tw ------------------------------ Crossposted-To: comp.unix.admin From: ken@kronos.arc.nasa.gov (Kenneth H. Simpson) Subject: Re: [Summary] /etc/shutdown by non-root Date: Thu, 23 Sep 1993 00:56:09 GMT In article <27pjmeINNlqf@rs18.hrz.th-darmstadt.de> josch@pc.chemie.th-darmstadt.de (Joachim Schnitter) writes: >Valdis Kletnieks (valdis@black-ice.cc.vt.edu) wrote: >: In article <27d35q$bol@agate.berkeley.edu> boss@soda.berkeley.edu (Brion Moss) writes: >: >(The script was then setuid root, of course). This seemed to work pretty >: >well. > >: A set-UID root shell script is equivalent to giving every user on >: the system unrestricted root access. > >: I suggest you find a way to do it without set-UID shell scripts. > >: Valdis Kletnieks >: Computer Systems Engineer >: Virginia Tech > >Sorry to say that this seems to be real nonsense. A script is simply fed >into a shell or another interpreter. It is the shell's permissions which >counts - not the script's. > >Try it out and you will see that you cannot give someone root permissions >with a setuid root script as long as you do not make the shell run setuid >root (The latter is equivalent to "rm -rf /" as root :-). > >-Joachim >-- >______________________________________________________________________ >Joachim Schnitter Tel.: +49 (61 51) 16-53 97 >Technische Hochschule Darmstadt Fax : +49 (61 51) 16-42 98 >Physikalische Chemie I >Petersenstr. 20 >64287 Darmstadt >Germany E-Mail: josch@pc.chemie.th-darmstadt.de > > It depends upon which shell you use, e.g., if you use perl, it may or may not ignore UID/GUID bits - it's a compile time option. If you use the shell on a SPARC as in /bin/sh it will execute the command as root if the SUID bit is set on the script and the script is owned by root. -- ============================================================================== Kenneth Simpson NASA Internet: ken@ptolemy.arc.nasa.gov Ames Research Center, MS/269-1 UUCP: ames!ptolemy!ken Moffett Field, CA 94035-1000 ------------------------------ From: Kenton.Sinner Subject: Slackware series installation Date: Thu, 23 Sep 1993 00:16:17 GMT I recently installed slackware 1.0.2, but I only installed the "a" series. I now wish to install the "x" series, but I can't find the command to do so in any documentation. Could someone please clue me in on the command to use? Thanks greatly. -- Kenton.Sinner@mixcom.com ------------------------------ ** FOR YOUR REFERENCE ** The service address, to which questions about the list itself and requests to be added to or deleted from it should be directed, is: Internet: Linux-Admin-Request@NEWS-DIGESTS.MIT.EDU You can send mail to the entire list (and comp.os.linux.admin) via: Internet: Linux-Admin@NEWS-DIGESTS.MIT.EDU Linux may be obtained via one of these FTP sites: nic.funet.fi pub/OS/Linux tsx-11.mit.edu pub/linux sunsite.unc.edu pub/Linux End of Linux-Admin Digest ******************************