Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Sat, 16 Jan 2016 17:58:15 +0000
From: Simon McVittie <smcv@...ian.org>
To: oss-security@...ts.openwall.com
Subject: Re: Setgid/Setuid binary writing privilege escalation

On 16/01/16 16:39, halfdog wrote:
> As staff is
> has rwx permissions on python dist-packages and /var/local, any root
> process accessing those is at high risk to be used to escalate to uid
> root also.

The staff group on Debian derivatives like Ubuntu is meant to be
root-equivalent anyway[1] (see
/usr/share/doc/base-passwd/users-and-groups.txt.gz for details of what
this group means). If you want to escalate from staff to root, there's
no need to use clever tricks like these, because staff has write access
to directories on root's default PATH.

There is a long-term plan to make everything that is currently 0775
root:staff instead be 0755 root:root, at least on new installations
<https://bugs.debian.org/299007> but it was being done gradually to
avoid breaking existing systems where the sysadmin might be relying on
the staff group's current functionality, and unfortunately it now seems
to have stalled altogether. I'll contact that bug and try to get things
moving again.

    S

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.