Matt Zimmerman <[EMAIL PROTECTED]> wrote: > The fact, though, is that this is a privilege escalation from the > (documented, but essentially unused) 'staff' group to root. Similar > escalations exist commonly in other systems via, e.g., the 'bin' user/group > which owns binaries in the default PATH. The "kmem" group also leads > trivially to root.
On my Debian systems, I see: [EMAIL PROTECTED]:~$ ls -l /dev | grep mem crw-r----- 1 root kmem 1, 2 Nov 13 2002 kmem crw-r----- 1 root kmem 1, 1 Nov 13 2002 mem crw-r----- 1 root kmem 1, 4 Nov 13 2002 port with read access only. Does that still give you root, or did you (also) mean that for other systems, where kmem has write access? Debian policy says that files should be owned by root:root (as distinct from bin:bin). Was not that designed to avoid such escalation? > But unless the system administrator takes it upon themselves to give > these privileges away, there is no realistic attack vector, and no > justification for alarm. NFS-mounted (user) files, mounted writable on several machines; attacker gets root on one machine, creates setgid-staff binary, gets root on all. Is not that realistic? Should not administrators be warned that giving staff privilege is equivalent to root? Are not they being misled into thinking that staff is somehow less dangerous? Cheers, Paul Szabo [EMAIL PROTECTED] http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of Sydney Australia -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
