[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#299007: base-files: Insecure PATH

"Brendan O'Dea" <bod@debian.org> wrote:

> ... there's more at stake here than just PATH, since perl for example has
> /usr/local/{lib,share}/perl earlier in @INC than /usr/{lib,share}/perl... 
> 
> I'm not sure what the emacs site-lisp search order is, but that may well
> provide a similar vector.

Thanks for pointing out those avenues of attack.

In your summary you seem to have missed that any machines that share user
files via writable NFS mounts are vulnerable. (Are vulnerable if you mount
an NFS filesystem that is writable to others.)

To keep the current group staff access and have a reasonably useful machine
(with users in group staff to make use of that access, or NFS mounts even
when there are no users in group staff), you would need to modify PATH in
base-files, @INC in perl, something in emacs, and possibly other things in
other packages. You would need to modify policy:
http://www.debian.org/doc/debian-policy/ch-opersys.html#s9.1.2
says
  ... /usr/local take precedence over the equivalents in /usr.


Could the settings
  Severity: critical
  Justification: root security hole
please be re-instated on this bug? In some common scenarios, current
arrangements allow root access. (The worst kind of "bug": mandated by
policy...)

Cheers,

Paul Szabo   psz@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia
Reply to: