Matt, >> On my Debian systems, I see: >> crw-r----- 1 root kmem 1, 2 Nov 13 2002 kmem >> with read access only. Does that still give you root ... > > Read-only access to kernel memory should be sufficient to obtain passwords, > including the root password or the password of a root-equivalent user.
Thanks. (Somewhat cumbersome; but you are right.) >> NFS-mounted (user) files, mounted writable on several machines; attacker >> gets root on one machine, creates setgid-staff binary, gets root on all. >> Is not that realistic? > > Attacker gets root on one machine, creates setuid root binary, gets root on > all. Cannot create setuid-root: the filesystem is exported with default root_squash. Would need to get root on the exporter for that. In my scenario getting root on any mounter is sufficient. (I started to think of this, because my boss suggested that we set a different root password on the exporter, as needing more security than the various mounters. Most admins would recognize the need to secure the exporter, but may not realize that root on the mounter also gives it away.) >> Should not administrators be warned that giving staff privilege is >> equivalent to root? Are not they being misled into thinking that staff is >> somehow less dangerous? > > I have already said that I support the removal of these privileges from the > staff group; we do not disagree on this point. Yes I noticed your agreement, thanks, and thanks for re-stating it. We seem to disagree on the urgency only: are there any machines that are currently affected? Cheers, Paul Szabo [EMAIL PROTECTED] http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of Sydney Australia -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
