On mer., 2011-08-24 at 18:56 +0200, Yves-Alexis Perez wrote: > On mer., 2011-08-24 at 18:33 +0200, Moritz Muehlenhoff wrote: > > Sebastian Kramer posted the following to oss-security: > > > > --- > > > > From: Sebastian Krahmer <krah...@suse.de> > > To: oss-secur...@lists.openwall.com > > Cc: robert.anc...@canonical.com > > Subject: [oss-security] lightdm issues > > > > Hi, > > > > lightdm (0.9.2) which aims to be a xdm replacement seems to > > fall into the same pitfalls like kdm and gdm recently. There is > > a lot of uid 0 code creating and chown()ing files in user dirs such as > > for ~/.dmrc and ~/.Xauthority. Probably more, depending on > > how the permissions of cache and log directories are set up. For > > example > > process_start() also creates and chown()s logfiles on users behalf. > > > > There is also one thing that I dont understand about the lightdm > > user itself and why pam sessions seem to be started for it inside > > the greeter session code. > > > > The xdmcp code seems to be OK so far, after a quick review. > > Yup, I'm on oss-sec so I've seen this and am waiting for Robert answer. > > I guess the proper way to do it would be to move all the user-related > work *after* the setuid() call and before exec()ing the session > wrapper. > Not sure how gdm3/xdm/slim handle that but there might be inspiration > there too.
And, out of curiosity, how would you achieve privilege escalation? You should be able to erase/rewrite arbitrary files, including /etc/shadow, but you don't really have control on what's written there. Regards, -- Yves-Alexis
signature.asc
Description: This is a digitally signed message part
