Re: Setgid/Setuid binary writing privilege escalation

[Simon McVittie <smcv () debian org>]

On 16/01/16 16:39, halfdog wrote:
> As staff is
> has rwx permissions on python dist-packages and /var/local, any root
> process accessing those is at high risk to be used to escalate to uid
> root also.

The staff group on Debian derivatives like Ubuntu is meant to be
root-equivalent anyway[1] (see
/usr/share/doc/base-passwd/users-and-groups.txt.gz for details of what
this group means). If you want to escalate from staff to root, there's
no need to use clever tricks like these, because staff has write access
to directories on root's default PATH.

There is a long-term plan to make everything that is currently 0775
root:staff instead be 0755 root:root, at least on new installations
<https://bugs.debian.org/299007> but it was being done gradually to
avoid breaking existing systems where the sysadmin might be relying on
the staff group's current functionality, and unfortunately it now seems
to have stalled altogether. I'll contact that bug and try to get things
moving again.

    S