[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#299007: base-files: Insecure PATH

Matt Zimmerman <mdz@debian.org> wrote:

> The fact, though, is that this is a privilege escalation from the
> (documented, but essentially unused) 'staff' group to root.  Similar
> escalations exist commonly in other systems via, e.g., the 'bin' user/group
> which owns binaries in the default PATH.  The "kmem" group also leads
> trivially to root.

On my Debian systems, I see:

psz@pisa:~$ ls -l /dev | grep mem
crw-r-----    1 root     kmem       1,   2 Nov 13  2002 kmem
crw-r-----    1 root     kmem       1,   1 Nov 13  2002 mem
crw-r-----    1 root     kmem       1,   4 Nov 13  2002 port

with read access only. Does that still give you root, or did you (also)
mean that for other systems, where kmem has write access?

Debian policy says that files should be owned by root:root (as distinct
from bin:bin). Was not that designed to avoid such escalation?

> But unless the system administrator takes it upon themselves to give
> these privileges away, there is no realistic attack vector, and no
> justification for alarm.

NFS-mounted (user) files, mounted writable on several machines; attacker
gets root on one machine, creates setgid-staff binary, gets root on all.
Is not that realistic?

Should not administrators be warned that giving staff privilege is
equivalent to root? Are not they being misled into thinking that staff is
somehow less dangerous?

Cheers,

Paul Szabo   psz@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia
Reply to: