oss-sec mailing list archives
Re: Setgid/Setuid binary writing privilege escalation
From: Simon McVittie <smcv () debian org>
Date: Sat, 16 Jan 2016 17:58:15 +0000
On 16/01/16 16:39, halfdog wrote:
As staff is has rwx permissions on python dist-packages and /var/local, any root process accessing those is at high risk to be used to escalate to uid root also.
The staff group on Debian derivatives like Ubuntu is meant to be root-equivalent anyway[1] (see /usr/share/doc/base-passwd/users-and-groups.txt.gz for details of what this group means). If you want to escalate from staff to root, there's no need to use clever tricks like these, because staff has write access to directories on root's default PATH. There is a long-term plan to make everything that is currently 0775 root:staff instead be 0755 root:root, at least on new installations <https://bugs.debian.org/299007> but it was being done gradually to avoid breaking existing systems where the sysadmin might be relying on the staff group's current functionality, and unfortunately it now seems to have stalled altogether. I'll contact that bug and try to get things moving again. S
Current thread:
- Setgid/Setuid binary writing privilege escalation halfdog (Jan 16)
- Re: Setgid/Setuid binary writing privilege escalation Simon McVittie (Jan 16)