Bug#299007: base-files: Insecure PATH
I have now sent the following to the BugTraq and FullDisclosure mailing
lists, see e.g.
http://www.securityfocus.com/archive/1/393997
http://lists.grok.org.uk/pipermail/full-disclosure/2005-March/032804.html
Cheers,
Paul Szabo psz@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of Sydney Australia
---
> From psz Wed Mar 23 09:11:45 2005
> To: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk
> Subject: root-equivalent groups
>
> Most UNIX/Linux installations have some groups (or users) whose members may
> be able to become root, for example:
>
> Group What Do
> bin /usr/bin create trojan
> disk /dev/hda raw write and create setuid root
> kmem /dev/kmem read root password
> shadow /etc/shadow crack root password
> staff /usr/local/bin create trojan
> tape /dev/st0 read confidential backup tape
> tty /dev/tty add keystrokes, run any code
>
> Often there are no users in these groups nor setgid binaries, so this may
> not matter; and in fact be useless, could be owned by root instead. Group
> staff is probably special in that administrators may add users to that
> group, thinking that this is a lesser privilege than root.
>
> Even in the absence of users in the group, it may be possible for attackers
> to "get" that group, via become-any-group-but-root bugs. Such bugs are
> quite common: when a group of machines share writable (e.g. user home)
> directories via NFS exported from somewhere with default root-squash,
> getting root on any one machine gives precisely that on all others of the
> group. There have been "genuine" such bugs also e.g. in sendmail.
>
> Please ensure that you are safe: review your use of root-equivalent groups,
> file ownerships, and NFS configurations.
>
> For some more discussion please see http://bugs.debian.org/299007 .
>
> Cheers,
>
> Paul Szabo psz@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/
> School of Mathematics and Statistics University of Sydney Australia
Reply to: