Bug#299007: base-files: Insecure PATH
Matt Zimmerman <mdz@debian.org> wrote:
> The fact, though, is that this is a privilege escalation from the
> (documented, but essentially unused) 'staff' group to root. Similar
> escalations exist commonly in other systems via, e.g., the 'bin' user/group
> which owns binaries in the default PATH. The "kmem" group also leads
> trivially to root.
On my Debian systems, I see:
psz@pisa:~$ ls -l /dev | grep mem
crw-r----- 1 root kmem 1, 2 Nov 13 2002 kmem
crw-r----- 1 root kmem 1, 1 Nov 13 2002 mem
crw-r----- 1 root kmem 1, 4 Nov 13 2002 port
with read access only. Does that still give you root, or did you (also)
mean that for other systems, where kmem has write access?
Debian policy says that files should be owned by root:root (as distinct
from bin:bin). Was not that designed to avoid such escalation?
> But unless the system administrator takes it upon themselves to give
> these privileges away, there is no realistic attack vector, and no
> justification for alarm.
NFS-mounted (user) files, mounted writable on several machines; attacker
gets root on one machine, creates setgid-staff binary, gets root on all.
Is not that realistic?
Should not administrators be warned that giving staff privilege is
equivalent to root? Are not they being misled into thinking that staff is
somehow less dangerous?
Cheers,
Paul Szabo psz@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of Sydney Australia
Reply to: