[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#357561: privilege escalation hole

On Friday 02 March 2007 21:30, Bjørn Mork <bmork@dod.no> wrote:
> Nor did I.  Does anyone have a pointer to a discussion of this?  I
> assume it must have been discussed a few times already.

A few times in other places, not sure about this list.

> I think I'll stop using su now ;-)

"setsid su" will be fine, as will "exec su" in some situations (where the call 
chain results in the termination of su closing the terminal).

> BTW, I noticed that mysql-server-5.0 also has a problem similar to
> apache.  This is the ps output after a recent "apt-get upgrade":
> root      8458  0.0  0.0   3912   904 pts/3    S    Feb28   0:00 /bin/sh
> /usr/bin/mysqld_safe mysql     8495  0.0  0.3 126524  3780 pts/3    Sl  
> Feb28   0:00  \_ /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql
> --user=mysql --pid-file=/var/run/mysqld/mysqld.pid --ski root      8496 
> 0.0  0.0   2968   356 pts/3    S    Feb28   0:00  \_ logger -p daemon.err
> -t mysqld_safe -i -t mysqld

It's hard to tell.  The parent process didn't call setsid(), it would probably 
be best if mysqld_safe would call setsid() before executing the mysqld.  But 
if mysqld called setsid() then it would not be exploitable.

> Does the special treating of terminal exploits mean that this is not a
> bug?  Or should it be reported with a low severity?  As opposed to
> apache, normal users rarely have access to run their own code in mysql
> context anyway, so exploitng this may be difficult.

If a user cracks the mysqld then they may be able to take over the root 
account because of this.  I believe that it's something that we should get 
fixed.  Using setsid(8) to run mysqld would fix it.

The mysqld is started as root and then changes it's UID to mysql, this means 
that it can not be ptraced (in a default kernel configuration) which makes it 
slightly more difficult to exploit this apparent bug.

Also in a default Debian install there is no password for the "root" account 
in the MySQL users table (see the following for an example).  I've just filed 
a bug report against mysql-server.

$ echo "select Host,User,Password from user where Grant_priv='y'" | mysql -u 
root mysql
Host    User    Password
localhost       root
aeon    root
localhost       debian-sys-maint        *882F

http://etbe.blogspot.com/          My Blog

http://www.coker.com.au/sponsorship.html Sponsoring Free Software development

Reply to: