Bug#299007: base-files: Insecure PATH

[Matt Zimmerman <mdz@debian.org>]

On Tue, Mar 22, 2005 at 02:37:14PM +1100, psz@maths.usyd.edu.au wrote:

> > Could the settings
> >>>   Severity: critical
> >>>   Justification: root security hole
> >>> please be re-instated on this bug? In some common scenarios, current
> >>> arrangements allow root access.
> >> 
> >> Could this be done, please, while we discuss (argue?) resolution?
> > 
> > No, I think that would be far overstating the facts.
> 
> Are you sure there are no security issues, and absolutely sure there are no
> root security holes, lurking in there?
> 
> I am tempted to publicize the issue on the BugTraq and FullDisclosure
> mailing lists. Maybe I am wrong, and will suffer the humiliation of being
> laughed at; or maybe I am right ...
> 
> (I know Matt thinks bugs.debian is public already, but it is quite obscure;
> so the general public, Debian users, and other Linux/UNIX maintainers may
> still be in the dark.)

I've already stated my position on the bug, and I think that this use of the
staff group should be avoided.

The fact, though, is that this is a privilege escalation from the
(documented, but essentially unused) 'staff' group to root.  Similar
escalations exist commonly in other systems via, e.g., the 'bin' user/group
which owns binaries in the default PATH.  The "kmem" group also leads
trivially to root.  But unless the system administrator takes it upon
themselves to give these privileges away, there is no realistic attack
vector, and no justification for alarm.

-- 
 - mdz