Bug#357561: Relation to escalation to root

To: 357561@bugs.debian.org
Subject: Bug#357561: Relation to escalation to root
From: Richard Thrippleton <ret28@cam.ac.uk>
Date: Wed, 17 Jan 2007 17:42:15 +0000
Message-id: <[🔎] 20070117174215.GH22629@ret.me.uk>
Reply-to: Richard Thrippleton <ret28@cam.ac.uk>, 357561@bugs.debian.org

If I have understood this correctly, preserving the controlling tty like this
allows an escalation from www-data to root. If, for example, I run
"/etc/init.d/apache start" from a root shell which I don't close soon after,
a resulting apache process running as www-data will share a controlling tty
with a root shell. A remote compromise of that process can then just inject
characters using TIOCSTI and execute commands as root.
In my opinion, it's not immensely unreasonable to manually bring down apache
and start it up again from a shell.
Why is this bug still unresolved after so long? The current workaround is of
course to immediately kill any terminal that has just invoked apache.

Richard

Reply to:

Prev by Date: Как сформировать и развить ?
Next by Date: Bug#398817: apache2: Same problem with long URLs !
Previous by thread: Как сформировать и развить ?
Next by thread: Bug#398817: apache2: Same problem with long URLs !
Index(es):
- Date
- Thread