Bug#299007: base-files: Insecure PATH
Brendan O'Dea <firstname.lastname@example.org> wrote:
> Your argument is that exporting a writable / or /usr via NFS exposes
> you to possible exploits? Then DON'T DO THAT.
and Manoj Srivastava <email@example.com> wrote:
> ... majority do not NFS export /usr/local ...
Sorry, but that is not the issue. The attacked machine would not be an
exporter, but a mounter of user files.
Suppose I have a bunch of machines, that "share" user files: all
NFS-mount /users (containing user home directories /users/*). Getting
root on any one of this bunch of machines would allow me to create a
setgid-staff file; or maybe I could mess around with the .bashrc of a
user in group staff.
Arguments about exports with squash_gids are moot: many NFS exporters do
not have that option; and non-Debian exporters would not know or care
about group staff.
Other points raised:
> That "src" group is *obviously* a security risk, it makes any user in
> that group root-equiv since they can dick with /usr/src/linux...
No risk: /usr/src is not used on a regular basis. Root should verify his
sources before building and installing a new kernel.
> The various role groups are useful [to] provide limited access to
> certain files/subtrees.
Yes, e.g. group mail is useful (only because we do not trust sendmail?).
Group disk is not useful: there is no-one in that group, nor are there
setgid-disk binaries. I wonder about group tty.
> ... a finer distinction of privileges ... we should encourage.
Yes, definitely; but we need to do so securely.
Paul Szabo firstname.lastname@example.org http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of Sydney Australia