Bug#299007: base-files: Insecure PATH

To: 299007@bugs.debian.org, bod@debian.org
Subject: Bug#299007: base-files: Insecure PATH
From: psz@maths.usyd.edu.au
Date: Mon, 21 Mar 2005 07:11:52 +1100
Message-id: <[🔎] 200503202011.j2KKBqIY022031@pisa.maths.usyd.edu.au>
Reply-to: psz@maths.usyd.edu.au, 299007@bugs.debian.org
In-reply-to: <[🔎] 20050320172519.GA15382@londo.c47.org>

>>[...] I wonder about group tty.
> 
> Group tty exists to support write(1), wall(1) and similar.  Terminals
> are writable by group tty when mesg is "y" (default for non-root users).

We have write(1) and wall(1) setgid tty (and not setuid root) because we do
not trust them. Should audit the sources, then could have them setuid root
and do away with group tty.

What mischief can be done by getting group tty? Could we do only what
write(1) does, or could we insert keystrokes into someone's terminal and so
execute arbitrary code?

Much of UNIX is designed on the idea that it is difficult to "get" another
user or group. The use of NFS (for any files, for user files, and in
particular for user home directories) blows away some of that difficulty,
relying on the exporter to keep things safe. That is why most (all??)
exporters use the root_squash option; but become-any-user-but-root and
become-any-group-but-root remains possible. In the presence of NFS, we (the
local machine) cannot fully protect users; but must still protect root.

Cheers,

Paul Szabo   psz@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia

Reply to:

References:
- Bug#299007: base-files: Insecure PATH
  - From: Brendan O'Dea <bod@debian.org>

Prev by Date: Bug#299007: base-files: Insecure PATH
Next by Date: Bug#299007: base-files: Insecure PATH
Previous by thread: Bug#299007: base-files: Insecure PATH
Next by thread: Bug#299007: base-files: Insecure PATH
Index(es):
- Date
- Thread