Full Disclosure mailing list archives
Re: Fedora/RedHat ConsoleHelper Privileged Access Preserved
From: Michal Zalewski <lcamtuf () ghettot org>
Date: Sun, 11 Jan 2004 01:50:35 +0100 (CET)
On Sat, 10 Jan 2004, Jonathan A. Zdziarski wrote:
I noticed running Gnome 2.4 on Fedora that privileged access acquired via the console helper (and pam) is preserved after the user logs out and back in, for at least an adequate amount of time to log back in and retain root privileges.
This problem is inherent to the design of sudo-type credentials caching in Red Hat's pam_timestamp_check. The observation you've made is not new, IIRC, and there is some disagreement as to whether this should work this way - personally, I would say it is a quite pointless and potentially dangerous feature, but folks at Red Hat probably disagree. The design is also flawed in many other ways, making it possible to bypass tty name check (rendering part of the ticketing solution ineffective and misleading), and providing a method to escalate trivial file creation races into instant root exploits: http://cert.uni-stuttgart.de/archive/bugtraq/2003/07/msg00014.html This was largely ignored by the maintainers, as far as I can tell. -- ------------------------- bash$ :(){ :|:&};: -- Michal Zalewski * [http://lcamtuf.coredump.cx] Did you know that clones never use mirrors? --------------------------- 2004-01-11 01:38 -- http://lcamtuf.coredump.cx/photo/current/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Fedora/RedHat ConsoleHelper Privileged Access Preserved Jonathan A. Zdziarski (Jan 10)
- Re: Fedora/RedHat ConsoleHelper Privileged Access Preserved Michal Zalewski (Jan 10)