[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Different roots for each process possible?



On Fri, Jan 19, 2001 at 01:06:40AM -0500, Mark H. Weaver wrote:
> What about non-hurd-aware setuid/setgid programs which trust the
> authenticity of their config file based on its location within the
> filesystem?  I'm too lazy to research any particular program to see if
> it would have this problem, but I can certainly imagine such problems.
> 
> For example, a setuid program mysudo might read a config file
> /etc/mysudoers, telling it which users are allowed to become root.  If
> it were hurd-aware and/or extra careful, it would check the owner of
> the file, but since it isn't, it naively assumes that the file's
> legitimate because it's in /etc
> 
> Now I can do the following within my home directory:
> 
>   mkdir myroot
>   cd myroot
>   mkdir etc
>   echo myname > etc/mysudoers
>   ln /usr/bin/mysudo .
>   cp /bin/sh .
>   chroot .
>   ./mysudo chown root.root ./sh
>   ./mysudo chmod 4555 ./sh
>   exit
>   ./sh
> 
> and now I've got a root shell.  Am I missing something?

neal@hurd:~ (0)$ mkdir root
neal@hurd:~ (0)$ cp `which sudo` root
neal@hurd:~ (0)$ ls -l `which sudo` root
-rwsr-xr-x    1 root     root        48304 Jul 26  1999 /usr/bin/sudo
root:
total 48
-rwsr-xr-x    1 neal     neal        48304 Jan 19 01:09 sudo

It is not going to work if it is not suid root.

Attachment: pgp1yJO70U5lP.pgp
Description: PGP signature


Reply to: