On Fri, Mar 11, 2005 at 01:52:53AM +0100, Jiri Kosina says:
> $ globus-job-run ce001.m45.ihep.su:2119/jobmanager-fork /bin/ls -l
> /usr/bin/ssh
> -r-s--x--x 1 root root 273832 Sep 17 2003 /usr/bin/ssh
>
> The first one doesn't need comment, I think. The second one is quite
> suspicious - there is no reason for ssh client to be setuid root.
Actually, there is: for openssh < 3.3 ssh IS setuid to make rhosts and
hostbased auth work. But you are right: such unusual permissions are quite
strange and /etc/issue is self-speaking.
One possible breakin path is via stock sendmail in RH 7.3 that gives you
local root. At least for LCG-2.2.0 it is so, and, as I understand,
LCG-2.3.0 installs the same version: 8.11.6-27.73. I myself tested it on
2.2.0 -- it perfectly gives local root. So chances are quite big, that for
2.3.0 it is so. I don't know about 2.3.1, but I'll investigate it today.
Just my 2 cents.
--
rea
|