On Fri, Dec 22, 2006 at 01:51:20PM +0100, Loïc Minier wrote: > Would someone be so kind to either correct me or to help me word why > this is a bad idea? This is a bad idea because, if mach creates (on installation) /var/tmp/mach/something, and a rogue user creates (before installation) /var/tmp/mach/ and makes a symlink from 'something' to /etc/passwd the whole system will be hosed when the package is installed. How can you do privilege escalation? Easy, just have 'something' point to /etc/cron.daily/ and try to get mach to write something *you* would like to get executed by cron. So, the comment (in the SF thread): >For example, making the symlink pointing to somewhere else still doesn't >allow that user to do anything even if mach would install stuff there. really depends in *what* gets installed. If mach is running as root and installs something (user-controlled?) in a place that *other programs* will read and execute (think scripts /etc/rc.d/ or /etc/cron.d/ or /etc/network/ifupdown.d/) then it can be used as a privilege elevation mechanism. If the contents created below /var/tmp/mach are predictable (in their location or name) it can be exploited to do all kind of tricks. I don't know how mach operates precisely, would you care to elaborate how and when does it use /var/tmp/mach/? What files are created there? What control does the user have on the content or naming of those files? Regards Javier
Attachment:
signature.asc
Description: Digital signature