From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-1.0 required=5.0 tests=MAILING_LIST_MULTI autolearn=ham autolearn_force=no version=3.4.4 Received: (qmail 13298 invoked from network); 20 Nov 2021 02:56:51 -0000 Received: from minnie.tuhs.org (45.79.103.53) by inbox.vuxu.org with ESMTPUTF8; 20 Nov 2021 02:56:51 -0000 Received: by minnie.tuhs.org (Postfix, from userid 112) id 3637594486; Sat, 20 Nov 2021 12:56:46 +1000 (AEST) Received: from minnie.tuhs.org (localhost [127.0.0.1]) by minnie.tuhs.org (Postfix) with ESMTP id 162F593D61; Sat, 20 Nov 2021 12:54:14 +1000 (AEST) Received: by minnie.tuhs.org (Postfix, from userid 112) id 92D3293D61; Sat, 20 Nov 2021 12:54:12 +1000 (AEST) X-Greylist: delayed 313 seconds by postgrey-1.36 at minnie.tuhs.org; Sat, 20 Nov 2021 12:54:11 AEST Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by minnie.tuhs.org (Postfix) with ESMTPS id 69EB193D5E for ; Sat, 20 Nov 2021 12:54:11 +1000 (AEST) Received: from callcc.thunk.org ([64.129.1.46]) (authenticated bits=0) (User authenticated as tytso@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 1AK2mhfp029159 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 19 Nov 2021 21:48:45 -0500 Received: by callcc.thunk.org (Postfix, from userid 15806) id 2B146420301; Fri, 19 Nov 2021 21:48:42 -0500 (EST) Date: Fri, 19 Nov 2021 21:48:42 -0500 From: "Theodore Y. Ts'o" To: Alan Glasser Message-ID: References: <202111200130.1AK1UIj51103141@darkstar.fourwinds.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Subject: Re: [TUHS] Two anecdotes X-BeenThere: tuhs@minnie.tuhs.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: The Unix Heritage Society mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: TUHS main list Errors-To: tuhs-bounces@minnie.tuhs.org Sender: "TUHS" On Fri, Nov 19, 2021 at 09:08:49PM -0500, Alan Glasser wrote: > Most of the hundreds (thousands?) of Unix systems running in Bell > Labs seemed to have well guarded root passwords. There was always > social engineering, like Rob mentioned. And, of course, setuid root > exploits that I enjoyed. Does anyone remember the security vulnerability existed where /bin/mail was setuid root, and you could issue the command "!/bin/ed /etc/passwd" and the editor would be executed as root because /bin/mail failed to drop the setuid root privs before executing the shell escape? When I was a Freshman at MIT I implementing some image processing programming on an old Unix system for a Materials Science professor in 1987 as part of MIT's Undergraduate Research Opportunities Program (UROP). It was some ancient Unix program, and to my amazement, the /bin/mail security vulnerability was there even though it was a famous security oopise that should have been patched long before. I *think* the system was some kind of AT&T Unix (not BSD) system, but I can't remember the hardware or the specific Unix that was on the system. Does anyone know how long and on which Unix variants this particular /bin/mail setuid root vulnerability was around? - Ted