Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sat, 16 Jan 2016 17:58:15 +0000
From: Simon McVittie <smcv@...ian.org>
To: oss-security@...ts.openwall.com
Subject: Re: Setgid/Setuid binary writing privilege escalation

On 16/01/16 16:39, halfdog wrote:
> As staff is
> has rwx permissions on python dist-packages and /var/local, any root
> process accessing those is at high risk to be used to escalate to uid
> root also.

The staff group on Debian derivatives like Ubuntu is meant to be
root-equivalent anyway[1] (see
/usr/share/doc/base-passwd/users-and-groups.txt.gz for details of what
this group means). If you want to escalate from staff to root, there's
no need to use clever tricks like these, because staff has write access
to directories on root's default PATH.

There is a long-term plan to make everything that is currently 0775
root:staff instead be 0755 root:root, at least on new installations
<https://bugs.debian.org/299007> but it was being done gradually to
avoid breaking existing systems where the sysadmin might be relying on
the staff group's current functionality, and unfortunately it now seems
to have stalled altogether. I'll contact that bug and try to get things
moving again.

    S

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ