Bug#299007: base-files: Insecure PATH
On Tue, Mar 22, 2005 at 03:29:10PM +1100, psz@maths.usyd.edu.au wrote:
> On my Debian systems, I see:
>
> psz@pisa:~$ ls -l /dev | grep mem
> crw-r----- 1 root kmem 1, 2 Nov 13 2002 kmem
> crw-r----- 1 root kmem 1, 1 Nov 13 2002 mem
> crw-r----- 1 root kmem 1, 4 Nov 13 2002 port
>
> with read access only. Does that still give you root, or did you (also)
> mean that for other systems, where kmem has write access?
Read-only access to kernel memory should be sufficient to obtain passwords,
including the root password or the password of a root-equivalent user.
> NFS-mounted (user) files, mounted writable on several machines; attacker
> gets root on one machine, creates setgid-staff binary, gets root on all.
> Is not that realistic?
Attacker gets root on one machine, creates setuid root binary, gets root on
all.
> Should not administrators be warned that giving staff privilege is
> equivalent to root? Are not they being misled into thinking that staff is
> somehow less dangerous?
I have already said that I support the removal of these privileges from the
staff group; we do not disagree on this point.
--
- mdz
Reply to: