root # roleadd -d /export/home/shadow -m shadow
64 blocks
root # rolemod -K defaultpriv=Basic,file_dac_read shadow
root # cat /etc/user_attr
#
# Copyright (c) 2003 by Sun Microsystems, Inc. All rights reserved.
#
# /etc/user_attr
#
# user attributes. see user_attr(4)
#
#pragma ident "@(#)user_attr 1.1 03/07/09 SMI"
#
adm::::profiles=Log Management
lp::::profiles=Printer Management
root::::auths=solaris.*,solaris.grant;profiles=Web Console Management,All;lock_after_retries=no
shadow::::type=role;defaultpriv=Basic,file_dac_read;profiles=All
root # passwd shadow
New Password:
Re-enter new Password:
passwd: password successfully changed for shadow
root # usermod -R shadow allet
root # profiles allet
Basic Solaris User
All
root # roles allet
shadow
root # telnet .
Trying 0.0.0.0...
Connected to ..
Escape character is '^]'.
login: allet
Password:
Last login: Thu Dec 23 00:18:20 from localhost
Sun Microsystems Inc. SunOS 5.10 s10_72 December 2004
allet $ ppriv -v $$
1791: -bash
flags =
E: file_link_any,proc_exec,proc_fork,proc_info,proc_session
I: file_link_any,proc_exec,proc_fork,proc_info,proc_session
P: file_link_any,proc_exec,proc_fork,proc_info,proc_session
L: contract_event, contract_observer, cpc_cpu, dtrace_kernel,
dtrace_proc, dtrace_user, file_chown, file_chown_self, file_dac_execute,
file_dac_read, file_dac_search, file_dac_write, file_link_any, file_owner,
file_setid, ipc_dac_read, ipc_dac_write, ipc_owner, net_icmpaccess,
net_privaddr, net_rawaccess, proc_audit, proc_chroot, proc_clock_highres,
proc_exec, proc_fork, proc_info, proc_lock_memory, proc_owner,
proc_priocntl, proc_session, proc_setid, proc_taskid, proc_zone, sys_acct,
sys_admin, sys_audit, sys_config, sys_devices, sys_ipc_config, sys_linkdir,
sys_mount, sys_net_config, sys_nfs, sys_res_config, sys_resource,
sys_suser_compat, sys_time
allet $ ppriv $$
1791: -bash
flags =
E: basic
I: basic
P: basic
L: all
allet $ cat /etc/shadow
cat: cannot open /etc/shadow
allet $ su - shadow
Password:
role $ id -a
uid=101(shadow) gid=1(other) groups=1(other)
role $ ppriv $$
1800: -pfsh
flags =
E: basic,file_dac_read
I: basic,file_dac_read
P: basic,file_dac_read
L: all
role $ ls -l /etc/shadow
-r-------- 1 root sys 374 Dec 23 00:10 /etc/shadow
role $ cat /etc/shadow
root:WybF.D5GwZnz2:6445::::::
daemon:NP:6445::::::
bin:NP:6445::::::
sys:NP:6445::::::
adm:NP:6445::::::
lp:NP:6445::::::
uucp:NP:6445::::::
nuucp:NP:6445::::::
smmsp:NP:6445::::::
listen:*LK*:::::::
gdm:*LK*:::::::
webservd:*LK*:::::::
nobody:*LK*:6445::::::
noaccess:*LK*:6445::::::
nobody4:*LK*:6445::::::
allet:uHkR2XYi9P5L2:12774::::::
shadow:On5eAXGKfJhzo:12774::::::
!!! IT WORKED !!!
Allet can now read all files which do not have the
read permission set for her. Be careful, very careful!!
role $ exit
allet $ exit
logout
Connection to . closed by foreign host.
root #
I assume that the configuration of the previous example is already removed.
root # usermod -P All allet
root # usermod -K defaultpriv=Basic,file_dac_read allet
root # cat /etc/user_attr
#
# Copyright (c) 2003 by Sun Microsystems, Inc. All rights reserved.
#
# /etc/user_attr
#
# user attributes. see user_attr(4)
#
#pragma ident "@(#)user_attr 1.1 03/07/09 SMI"
#
adm::::profiles=Log Management
lp::::profiles=Printer Management
root::::auths=solaris.*,solaris.grant;profiles=Web Console Management,All;lock_after_retries=no
allet::::type=normal;defaultpriv=Basic,file_dac_read;profiles=All
root # telnet .
Trying 0.0.0.0...
Connected to ..
Escape character is '^]'.
login: allet
Password:
Last login: Thu Dec 23 00:40:22 from localhost
Sun Microsystems Inc. SunOS 5.10 s10_72 December 2004
allet $ ppriv $$
1889: -bash
flags =
E: basic,file_dac_read
I: basic,file_dac_read
P: basic,file_dac_read
L: all
allet $ id -a
uid=100(allet) gid=1(other) groups=1(other)
allet $ ls -l /etc/shadow
-r-------- 1 root sys 341 Dec 23 00:37 /etc/shadow
allet $ cat /etc/shadow
root:WybF.D5GwZnz2:6445::::::
daemon:NP:6445::::::
bin:NP:6445::::::
sys:NP:6445::::::
adm:NP:6445::::::
lp:NP:6445::::::
uucp:NP:6445::::::
nuucp:NP:6445::::::
smmsp:NP:6445::::::
listen:*LK*:::::::
gdm:*LK*:::::::
webservd:*LK*:::::::
nobody:*LK*:6445::::::
noaccess:*LK*:6445::::::
nobody4:*LK*:6445::::::
allet:uHkR2XYi9P5L2:12774::::::
!!! THIS WORKED TOO !!!
Now when allet just logs in she can read any file in the system. This is
even more dangerous than using a role. Be careful. Very, very, very careful!!
allet $ exit
logout
Connection to . closed by foreign host.
root #
I'm in no way responsible for what you do. Not even when you do it after reading my documents.