Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20151214215407.GA26624@openwall.com>
Date: Tue, 15 Dec 2015 00:54:08 +0300
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: User man Local Root Exploit/Linux Kernel setgid Directory Privilege Escalation/PAM Owner Check Weakness

halfdog -

> http://www.halfdog.net/Security/2015/MandbSymlinkLocalRootPrivilegeEscalation/
> http://www.halfdog.net/Security/2015/SetgidDirectoryPrivilegeEscalation/

Thank you for documenting these peculiar findings.  While your web pages
are nicely formatted and have helpful cross-references, could you please
post the actual content to oss-security directly?  If you can't easily
include everything into a message body yet keep it reasonable, then you
may attach several text files, including the CreateSetgidBinary.c
program.  I hope your website will still be available with this content
years later, but regardless I'd prefer discussion threads in here not to
rely on external content unnecessarily.  If we can make a discussion
thread more self-contained, we should.  Including external URLs for
reference and better formatting and cross-references is great, but it
does not eliminate the need to also include the most essential content
directly in your posting.

On Mon, Dec 14, 2015 at 09:14:29PM +0000, halfdog wrote:
> Dag-Erling Smorgrav wrote:
> > And the PAM issue?
> 
> That's the most questionable. Should it be expected from the pam
> libraries to refuse authentication, when the owner/group of
> /etc/shadow is completely off? Of course, attacker with possibility to
> modify ownership of a single file would also find numerous other
> targets to work on, but should it be so easy?

(You mean PAM modules like pam_unix here, not PAM libraries like libpam.
And of course this question is not limited to systems with PAM.)

I don't feel about this strongly, but I also see little need to
introduce this kind of paranoia into pam_unix and the like.  As you
point out, there are "numerous other targets", and some of them are not
much or any harder to make use of - e.g., root's cron jobs, sshd_config
"Subsystem" line, lots of scripts and binaries (but these might require
waiting until they're run next).

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.