Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 15 Dec 2015 00:54:08 +0300
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: User man Local Root Exploit/Linux Kernel setgid Directory Privilege Escalation/PAM Owner Check Weakness

halfdog -

> http://www.halfdog.net/Security/2015/MandbSymlinkLocalRootPrivilegeEscalation/
> http://www.halfdog.net/Security/2015/SetgidDirectoryPrivilegeEscalation/

Thank you for documenting these peculiar findings.  While your web pages
are nicely formatted and have helpful cross-references, could you please
post the actual content to oss-security directly?  If you can't easily
include everything into a message body yet keep it reasonable, then you
may attach several text files, including the CreateSetgidBinary.c
program.  I hope your website will still be available with this content
years later, but regardless I'd prefer discussion threads in here not to
rely on external content unnecessarily.  If we can make a discussion
thread more self-contained, we should.  Including external URLs for
reference and better formatting and cross-references is great, but it
does not eliminate the need to also include the most essential content
directly in your posting.

On Mon, Dec 14, 2015 at 09:14:29PM +0000, halfdog wrote:
> Dag-Erling Smorgrav wrote:
> > And the PAM issue?
> 
> That's the most questionable. Should it be expected from the pam
> libraries to refuse authentication, when the owner/group of
> /etc/shadow is completely off? Of course, attacker with possibility to
> modify ownership of a single file would also find numerous other
> targets to work on, but should it be so easy?

(You mean PAM modules like pam_unix here, not PAM libraries like libpam.
And of course this question is not limited to systems with PAM.)

I don't feel about this strongly, but I also see little need to
introduce this kind of paranoia into pam_unix and the like.  As you
point out, there are "numerous other targets", and some of them are not
much or any harder to make use of - e.g., root's cron jobs, sshd_config
"Subsystem" line, lots of scripts and binaries (but these might require
waiting until they're run next).

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.