Why user has permissions to execute 'init 0'?

wolfgang · August 3, 2010, 3:45pm

Hi all.
On one workstation run Solaris 10 a simple user can to execute 'init 0' command without input (su and root password).
Example:

% init 0
%
OK

I don't understand how user can execute 'init 0' command on this workstation?

1) I checked /usr/local/etc/sudoers all lines are commented.

2) I checked RBAC.

%roles
no roles

3) init permissions

/sbin:
-r-sr-sr-x         1   root    sys        init

/etc:
lrwxrwxrwx  1    root     root       init -> ../sbin/init

What I must check yet?

Thanks.

swm · August 18, 2010, 1:50pm

As the simple user, please issue the command "which init".
If it ultimately points to /sbin/init, or even if it doesn't, I would look at why the set userid bit and set groupid bit are on (I never hear of set other id bit ). /sbin/init on the x86 system I'm running has the permissions r-xr-x-rx. (Check your other systems). Since the set userid bit is on, the script is run as root since root is the owner. If you feel bold; as the user try "init 6" and see if it reboots (assuming "which init" points to /sbin/init).

Grippo · September 6, 2010, 9:00am

permissions on /sbin/init should simply be r-xr-xr-x there should be no suid or sgid!
you should be perfectly safe to run "chmod 555 /sbin/init"