Re: file/directory name usage under /
On 2013-08-24 23:20:39 -0600, Bob Proulx wrote:
> Vincent Lefevre wrote:
> > Bob Proulx wrote:
> > > Vincent Lefevre wrote:
> > > > Is it OK that anyone who has a write access in this directory can
> > > > become root on the machine?
> > >
> > > That question is ambiguous. Do you mean that someone who can write to
> > > /foo can use that to become root?
> >
> > Yes. Say, during an upgrade of the system or package installation,
> > some given file /foo/bar gets executed under root (thanks to ldd).
>
> Please say more? I know of no way that having write to /foo will give
> priviledge escalation.
The directory in question is "/libx32". If a user has write access
to it, he can create a "/libx32/ld-linux-x32.so.2" executable that
will be executed as root when update-initramfs is run:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=720735
Actually it appears that all /lib* are optionally part of the FHS
(the Wikipedia article didn't mention them). One can still wonder
whether there is a risk that such a directory like /libx32 (which
doesn't even correspond to a compatible architecture: yields
crashes) might be used locally in some special way, with additional
permissions.
BTW, Debian doesn't even comply to the FHS concerning such
directories:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=720777
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=720778
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=720780
--
Vincent Lefèvre <vincent@vinc17.net> - Web: <http://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <http://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
Reply to: