Bug#225692: dpkg: Allows users to stash away vulnerable versions of setuid binaries

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#225692: dpkg: Allows users to stash away vulnerable versions of setuid binaries
From: Erno Kuusela <erno-debbugs@erno.iki.fi>
Date: Wed, 31 Dec 2003 18:30:19 +0200
Message-id: <[🔎] 20031231163020.111021886B2@erno.iki.fi>
Reply-to: Erno Kuusela <erno-debbugs@erno.iki.fi>, 225692@bugs.debian.org

Package: dpkg
Version: 1.9.21
Severity: grave
Tags: security



see http://lists.jammed.com/ISN/2003/12/0056.html

users can make hardlinks to root owned setuid binaries in the usual
partitioning configurations, so unlinking them is not a reliable way
to get rid of them.

with the current dpkg behaviour it's not enough to upgrade the package
before malicious local users get their hands on the exploit, since they
can stash the binary away and wait for an exploit to become available.

i think a fix for this might be to open() the binary, unlink() it,
and then use fchmod() to remove the setuid and setgid bits. 
(optionally check link count to see if someone is trying this
and print a warning)

truncate() is out since running copies of the binaries
won't like it, and a normal chmod() would be racy... 

-- System Information:
Debian Release: 3.0
Architecture: i386
Kernel: Linux fabulous 2.6.0 #2 Sun Dec 21 10:27:12 EET 2003 i686
Locale: LANG=C, LC_CTYPE=fi_FI

Versions of packages dpkg depends on:
ii  libc6                     2.3.2.ds1-10   GNU C Library: Shared libraries an
ii  libncurses5               5.3.20030719-2 Shared libraries for terminal hand
ii  libstdc++2.10-glibc2.2    1:2.95.4-15    The GNU stdc++ library

-- no debconf information

Reply to:

Prev by Date: Bug#225667: dpkg --configure does not accept keyboard input
Next by Date: Bug#225667: probably debconf bug
Previous by thread: Bug#225667: dpkg --configure does not accept keyboard input
Next by thread: Bug#225667: probably debconf bug
Index(es):
- Date
- Thread