Bug#299007: base-files: Insecure PATH

To: 299007@bugs.debian.org, allomber@math.u-bordeaux.fr, psz@maths.usyd.edu.au
Cc: bod@debian.org, sanvila@unex.es
Subject: Bug#299007: base-files: Insecure PATH
From: psz@maths.usyd.edu.au
Date: Sat, 19 Mar 2005 21:35:42 +1100
Message-id: <[🔎] 200503191035.j2JAZgYd008516@pisa.maths.usyd.edu.au>
Reply-to: psz@maths.usyd.edu.au, 299007@bugs.debian.org

Brendan O'Dea <bod@debian.org> wrote:

> ... the current situation poses no security risks without the
> administrator choosing to add users to the staff group.

Sorry, that is wrong. Quoting from the original bug report:

> Become-any-user-but-root and become-any-group-but-root bugs are quite
> common. When a group of machines share user home directories via NFS
> exported from somewhere with default root-squash, getting root on one
> machine gives precisely that on all others of the group. There have
> been "genuine" such bugs also e.g. in sendmail [6].

Bill Allombert <allomber@math.u-bordeaux.fr> wrote:

> ... there is at least an other group in Debian that is equivalent
> to root access, namely disk, and there are others that present a
> security risk (e.g. shadow). Why special casing staff ?

Thanks for pointing those out! Add group tty also? All should be
"squashed" (and the objects owned by root:root instead).

Cheers,

Paul Szabo   psz@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia

Reply to:

Follow-Ups:
- Bug#299007: base-files: Insecure PATH
  - From: Brendan O'Dea <bod@debian.org>

Prev by Date: Bug#299007: base-files: Insecure PATH
Next by Date: Bug#299007: base-files: Insecure PATH
Previous by thread: Bug#299007: base-files: Insecure PATH
Next by thread: Bug#299007: base-files: Insecure PATH
Index(es):
- Date
- Thread