Re: coupe things RedHat does well and Debian should too
Sergey V Kovalyov writes:
> No, the way it works is it changes the ownership of the /dev/fd*
> etc. to you. No extra groups are given you so you can't create a
> setgid file. You can't really do anything except to read and write
> from/to those devices. It should be Ok.
This is even worse. See:
http://securityportal.com/list-archive/bugtraq/2000/May/0026.html]
"When accepting luser console login, pam_console called by /bin/login
tries to be user-friendly, doing several chowns on devices like login
tty and corresponding vcs[a] device, as well as other interesting
devices: fd*, audio devices (dsp*, mixer*, audio*, midi*, sequencer),
cdrom, streamer/zip drive devices, frame buffer devices, kbd*, js*,
video*, radio*, winradio*, vtx*, vbi* and so on. Probably it's
designed to make console logins more comfortable, but has DEADLY
effects on servers with console luser-login ability (and that's quite
common).
"On logout, these devices are chown'ed back to root, but unlike
/dev/tty[0-9], these devices have no hangup mechanism, so user will
have full control over them after logout by opening them and then
keeping the file descriptor. The easiest attack is read-write snooping
of consoles. Log in on console once, open /dev/vcsX (where X
corresponds to tty number), then logout. By continous lseek/read loop,
your program will be able to snoop futher logins on this console -
forever. Also, it's possible to write() on snooped console... Ugh.
Other possibilities include reading any inserted cd, reading/writing
any inserted floppy, messing with video/audio devices and so on, all
in the same way."
--
There is no TRUTH. There is no REALITY. There is no CONSISTENCY. There
are no ABSOLUTE STATEMENTS. I'm very probably wrong. -- BSD fortune(6)
Reply to: