COMMAND

    permissions

SYSTEMS AFFECTED

    AIX 3.2.5.0 , 4.1.4.0 4.2.1.0 (all?), HpUX (ALL!)

PROBLEM

    Following may  represent security  risk.   It was  posted by Yaron
    Yanay.  The problem is that  the owner of "/" is user  bin instead
    of  user  root  which  means  that  if  one  manages  to get "bin"
    permissions he might get root permissions by:

        > mv -r /etc /etc.old
        > cp -r /etc.old /etc
        > echo "toor::0:0:bug:/:/bin/tcsh">> /etc/passwd

    or something  like that.   And to  get bin  permissions one should
    exploit the current version of sendmail or use mis-configured  NFS
    server, or  exploit a  buffer overflow  in /usr/bin/nslookup  (the
    only suid bin in AIX and it suid only in AIX 4.1.5)

    Douglas  Siebert  confirmed  HP-UX  (all  versions)  has a similar
    problem.   / is  owned by  root:root, but  subdirectories, such as
    /etc, are owned by bin:bin, as are most system binaries.

SOLUTION

    AIX aware  of it  and it  doesn't look  like this  is going  to be
    changed.  HP don't seem too eager to fix it either.  As for  HpUX,
    you can remove the setuid from kermit, and do a find for  anything
    owned by bin and chown it to root.  Other than needing to fix  one
    or two things in /usr/lbin (making permissions on identd and maybe
    fingerd less strict so that it can still run as "bin"). Everything
    works fine when you do this.