[TUHS] Two anecdotes

Theodore Y. Ts'o tytso at mit.edu
Sat Nov 20 12:48:42 AEST 2021

On Fri, Nov 19, 2021 at 09:08:49PM -0500, Alan Glasser wrote:
> Most of the hundreds (thousands?) of Unix systems running in Bell
> Labs seemed to have well guarded root passwords. There was always
> social engineering, like Rob mentioned. And, of course, setuid root
> exploits that I enjoyed.

Does anyone remember the security vulnerability existed where
/bin/mail was setuid root, and you could issue the command "!/bin/ed
/etc/passwd" and the editor would be executed as root because
/bin/mail failed to drop the setuid root privs before executing the
shell escape?

When I was a Freshman at MIT I implementing some image processing
programming on an old Unix system for a Materials Science professor in
1987 as part of MIT's Undergraduate Research Opportunities Program
(UROP).  It was some ancient Unix program, and to my amazement, the
/bin/mail security vulnerability was there even though it was a famous
security oopise that should have been patched long before.  I *think*
the system was some kind of AT&T Unix (not BSD) system, but I can't
remember the hardware or the specific Unix that was on the system.

Does anyone know how long and on which Unix variants this particular
/bin/mail setuid root vulnerability was around?

							- Ted

More information about the TUHS mailing list