[Coco] setuid? wasRe: Telnet to your CoCo.. and invite 6 of your friends

Willard Goosey goosey at virgo.sdc.org
Mon Nov 30 17:46:28 EST 2009


On Mon, Nov 30, 2009 at 03:02:49PM -0700, Tim Fadden wrote:
> To the thread in general, not you Willard. :-)

Meh.  My flamer days are over.  I'm old, fat, and mellow these days.
I'm sure everyone is greatly relieved. :-)
> 
> You are all talking about using a system call and creating a program and 
> than being able to change userID.  Thats great, but how does the program 
> get on the host computer when there is no way to compile on it, or 
> transfer files to it? 

Partially, I'm being silly and paranoid, and I admit that.  Partially,
I'm still shocked that SETID was left wide open the way it was.  It's
a blow to my image of Microware. :-( 

Incomplete implementations make me twitch. ;-)  I can handle it if
functionality is just plain not there, but if it is there, it should
be correct.

Even without access to any of the development tools (asm, C,
whatever), all an evil hackzorz would need is DISPLAY, ATTR, and the
40-odd byte hex listing of su.

However, in my saner moments, even I admit that the "problem" probably
isn't worth fixing.  Security complications snowball quickly.  At a
guess, we might end up with 5 coco's on the net.  Not a big target,
and one that would require knowledge of 20+ year old hardware and code
to break into.  The PCs running the drivewirer server would be far juicer
targets.

> Of course you can hack your own system!  Given  physical root access to 
> any machine it can be hacked.  Many can be hacked without root access!   

No one knows that better than someone who ones a 3b1 like I do (want
root?  Send yourself email! :-)

> Logging in remotely with a sub-set of safe to run commands is a whole 
> different story. 

True.

Willard
-- 
Willard Goosey  goosey at sdc.org
Socorro, New Mexico, USA
I search my heart and find Cimmeria, land of Darkness and the Night.
  -- R.E. Howard



More information about the Coco mailing list