Date: Tue, 15 Dec 2015 00:54:08 +0300 From: Solar Designer <solar@...nwall.com> To: oss-security@...ts.openwall.com Subject: Re: User man Local Root Exploit/Linux Kernel setgid Directory Privilege Escalation/PAM Owner Check Weakness halfdog - > http://www.halfdog.net/Security/2015/MandbSymlinkLocalRootPrivilegeEscalation/ > http://www.halfdog.net/Security/2015/SetgidDirectoryPrivilegeEscalation/ Thank you for documenting these peculiar findings. While your web pages are nicely formatted and have helpful cross-references, could you please post the actual content to oss-security directly? If you can't easily include everything into a message body yet keep it reasonable, then you may attach several text files, including the CreateSetgidBinary.c program. I hope your website will still be available with this content years later, but regardless I'd prefer discussion threads in here not to rely on external content unnecessarily. If we can make a discussion thread more self-contained, we should. Including external URLs for reference and better formatting and cross-references is great, but it does not eliminate the need to also include the most essential content directly in your posting. On Mon, Dec 14, 2015 at 09:14:29PM +0000, halfdog wrote: > Dag-Erling Smorgrav wrote: > > And the PAM issue? > > That's the most questionable. Should it be expected from the pam > libraries to refuse authentication, when the owner/group of > /etc/shadow is completely off? Of course, attacker with possibility to > modify ownership of a single file would also find numerous other > targets to work on, but should it be so easy? (You mean PAM modules like pam_unix here, not PAM libraries like libpam. And of course this question is not limited to systems with PAM.) I don't feel about this strongly, but I also see little need to introduce this kind of paranoia into pam_unix and the like. As you point out, there are "numerous other targets", and some of them are not much or any harder to make use of - e.g., root's cron jobs, sshd_config "Subsystem" line, lots of scripts and binaries (but these might require waiting until they're run next). Alexander
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.