Bugtraq mailing list archives
Re: Slackware 8.0, 7.1 Vulnerability: /usr/bin/locate
From: Linux Mailing Lists <linux () aiind upv es>
Date: Wed, 1 Aug 2001 19:00:05 +0200 (MEST)
Hello,
In slackware, and possibly other distributions, it is possible to modify the locate database if one were to obtain UID nobody. This allows locate to act as a sort of 'trojan' having anyone who executes it unknowingly execute potentially malicious code.
Obtaining access to user nobody under Slackware (at least 8.0) seems to be relatively easy, since the apache web daemon runs, by default, under the "nobody" UID. If the administrator lets users run cgis or use any other kind of "interaction" with httpd (includes, exec's, etc...), it might be very easy to run code as user nobody. I've checked Slackware 8.0 and httpd is set up to run as user "nobody".
From /etc/apache/httpd.conf:
# # If you wish httpd to run as a different user or group, you must run # httpd as root initially and it will switch. # # User/Group: The name (or #number) of the user/group to run httpd as. # . On SCO (ODT 3) use "User nouser" and "Group nogroup". # . On HPUX you may not be able to use shared memory as nobody, and the # suggested workaround is to create a user www and use that user. # NOTE that some kernels refuse to setgid(Group) or semctl(IPC_SET) # when the value of (unsigned)Group is above 60000; # don't use Group nobody on these systems! # User nobody Group nobody Suggested work-around: run httpd under another, "private" user ("www" for example) and group, and be sure to disable any kind of interaction between users and the web server (cgis, includes, execs...). Please note that having access to user "nobody" is not that bad unless it's combined with other vulnerabilities (locate, for example, or any other system-wide utility/program which is run as user "nobody"). Greetings, Sergio
Current thread:
- Slackware 8.0, 7.1 Vulnerability: /usr/bin/locate Josh Smith (Aug 01)
- Re: Slackware 8.0, 7.1 Vulnerability: /usr/bin/locate Linux Mailing Lists (Aug 01)
- Re: Slackware 8.0, 7.1 Vulnerability: /usr/bin/locate Jeremy C. Reed (Aug 01)
- Re: Slackware 8.0, 7.1 Vulnerability: /usr/bin/locate Josh Smith (Aug 01)
- Re: Slackware 8.0, 7.1 Vulnerability: /usr/bin/locate Jeffrey Denton (Aug 03)
- <Possible follow-ups>
- Re: Slackware 8.0, 7.1 Vulnerability: /usr/bin/locate Olaf Bohlen (Aug 01)
- Re: Slackware 8.0, 7.1 Vulnerability: /usr/bin/locate Jeremy C. Reed (Aug 01)
- Re: Slackware 8.0, 7.1 Vulnerability: /usr/bin/locate Brian Smith (Aug 01)
- Re: Slackware 8.0, 7.1 Vulnerability: /usr/bin/locate Dylan Griffiths (Aug 02)
- Re: Slackware 8.0, 7.1 Vulnerability: /usr/bin/locate Felipe Franciosi (Aug 06)
- Re: Slackware 8.0, 7.1 Vulnerability: /usr/bin/locate Jeremy C. Reed (Aug 01)
- Re: Slackware 8.0, 7.1 Vulnerability: /usr/bin/locate Nasir Simbolon (Aug 02)