oss-sec mailing list archives
Re: User man Local Root Exploit/Linux Kernel setgid Directory Privilege Escalation/PAM Owner Check Weakness
From: Solar Designer <solar () openwall com>
Date: Tue, 15 Dec 2015 00:54:08 +0300
halfdog -
http://www.halfdog.net/Security/2015/MandbSymlinkLocalRootPrivilegeEscalation/ http://www.halfdog.net/Security/2015/SetgidDirectoryPrivilegeEscalation/
Thank you for documenting these peculiar findings. While your web pages are nicely formatted and have helpful cross-references, could you please post the actual content to oss-security directly? If you can't easily include everything into a message body yet keep it reasonable, then you may attach several text files, including the CreateSetgidBinary.c program. I hope your website will still be available with this content years later, but regardless I'd prefer discussion threads in here not to rely on external content unnecessarily. If we can make a discussion thread more self-contained, we should. Including external URLs for reference and better formatting and cross-references is great, but it does not eliminate the need to also include the most essential content directly in your posting. On Mon, Dec 14, 2015 at 09:14:29PM +0000, halfdog wrote:
Dag-Erling Smorgrav wrote:And the PAM issue?That's the most questionable. Should it be expected from the pam libraries to refuse authentication, when the owner/group of /etc/shadow is completely off? Of course, attacker with possibility to modify ownership of a single file would also find numerous other targets to work on, but should it be so easy?
(You mean PAM modules like pam_unix here, not PAM libraries like libpam. And of course this question is not limited to systems with PAM.) I don't feel about this strongly, but I also see little need to introduce this kind of paranoia into pam_unix and the like. As you point out, there are "numerous other targets", and some of them are not much or any harder to make use of - e.g., root's cron jobs, sshd_config "Subsystem" line, lots of scripts and binaries (but these might require waiting until they're run next). Alexander
Current thread:
- User man Local Root Exploit/Linux Kernel setgid Directory Privilege Escalation/PAM Owner Check Weakness halfdog (Dec 02)
- Re: User man Local Root Exploit/Linux Kernel setgid Directory Privilege Escalation/PAM Owner Check Weakness halfdog (Dec 13)
- Re: User man Local Root Exploit/Linux Kernel setgid Directory Privilege Escalation/PAM Owner Check Weakness Dag-Erling Smørgrav (Dec 14)
- Re: User man Local Root Exploit/Linux Kernel setgid Directory Privilege Escalation/PAM Owner Check Weakness halfdog (Dec 14)
- Re: User man Local Root Exploit/Linux Kernel setgid Directory Privilege Escalation/PAM Owner Check Weakness Solar Designer (Dec 14)
- Re: User man Local Root Exploit/Linux Kernel setgid Directory Privilege Escalation/PAM Owner Check Weakness halfdog (Dec 20)
- Re: User man Local Root Exploit/Linux Kernel setgid Directory Privilege Escalation/PAM Owner Check Weakness Dag-Erling Smørgrav (Dec 15)
- Re: User man Local Root Exploit/Linux Kernel setgid Directory Privilege Escalation/PAM Owner Check Weakness halfdog (Dec 15)
- Re: User man Local Root Exploit/Linux Kernel setgid Directory Privilege Escalation/PAM Owner Check Weakness cve-assign (Dec 15)
- Re: User man Local Root Exploit/Linux Kernel setgid Directory Privilege Escalation/PAM Owner Check Weakness Dag-Erling Smørgrav (Dec 14)
- Re: User man Local Root Exploit/Linux Kernel setgid Directory Privilege Escalation/PAM Owner Check Weakness halfdog (Dec 13)