>> % Already tried, and he's not interested, but I did find out what script
>> % he's using...
>> %
>> % Q> #!/bin/sh
>> % Q> XYZZY="`find / -name core`"
>> % Q> for LOOP in `find $XYZZY | sort -ru` ; do
>> % Q> rm -fr $LOOP
>> % Q> done
> You have GOT to be kidding me!?!?!
Crazy as it sounds, nope...
> Oh beautiful! How about this instead... If you know the name
> of the script (say /usr/local/stupid_BOFH_admin/rmcore) then use this
> instead:
> mkdir -p "BOFH /usr/local/stupid_BOFH_admin/rmcore /core"
> Or how about this:
> mkdir -p '"BOFH | chmod 666 /etc/passwd" /core'
> Or...
> mkdir -p '"BOFH ; chmod 666 /etc/passwd" /core'
> Watch precise quoting carefully. That make take a little fine
> tuning but you get the point...
How about...
Q> mkdir -p 'BOFH `which crond` ; ln -s /sbin/reboot /bin/crond ; #'
> Salt suitably to annoy said Admin and teach error of ways...
> Slip appropriate shell meta characters in there and you can execute
> ANYTHING! As root!
I've a feeling the above command would cause him serious problems...
> You could even create a few scripts named core and preceed them
> with appropriate shell meta characters in their lead up path and get the
> blinken thing to run you scripts as root every time he runs that script.
> Through in a few symlinks into the mix and the possiblities for mayhem
> are incredible.
I never thought of that...
> Man... If I really get warmed up, I could dredge up a few goodies
> from bugtraq. With that one simple script he has managed to compromise
> the security of the entire system!
> Hmmm... Thinking of BOFH. This would be a good spot to turn the
> tables and try out some of the more creative BOFH ideas...
All too true - but I think the above will suffice for now...
> I find this criminally dangerous. If he gets informed that this
> script introduces a major serious security flaw in his system he is
> negligent.
> If you fail to inform him of it, you may be. Got any whistle
> blower protection? Warn his boss and then demonstrate that he's a
> moron.
Unfortunately, nope - although his boss knows I'm not happy with
him...
>> % Apparently, the version I use (and show above) is "too simple to do
>> % the job"...and the version he uses was written for him by his son,
>> % who's doing Comp Sci on Solaris as school - aged 14 !!!
> I know some 14 year olds who would hang their heads in shame at that
> script.
I know some NINE year olds who'd be ashamed to come up with something
like that - especially as root...and that includes several I've taught
myself in my spare time...
>> And you can't even tell him why this script is so bad (and inefficient)
>> without insulting his progeny...
> That script has already insulted his progeny.
True - but try persuading him of that...
Best wishes from Riley.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/