The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


[linux-security] [Debian 2.0] /usr/bin/suidexec gives root access


<< Previous INDEX Search src Set bookmark Go to bookmark Next >> 
X-RDate: Thu, 30 Apr 1998 18:59:54 +0600 (YEKST)
X-UIDL: 35317d340000013b
Date: Tue, 28 Apr 1998 15:28:54 +0200
From: Thomas Roessler <roessler@guug.de>
To: BUGTRAQ@NETSPACE.ORG
Subject: [linux-security] [Debian 2.0] /usr/bin/suidexec gives root access

Executive summary: /usr/bin/suidexec gives every user a
root shell.  Remove it.

tlr

----- Forwarded message from Thomas Roessler <roessler@guug.de> -----

Date: Tue, 28 Apr 1998 15:21:17 +0200
=46rom: Thomas Roessler <roessler@guug.de>
Subject: suidmanager: SECURITY BREACH: /usr/bin/suidexec gives root a=
ccess to every user on the system
To: submit@bugs.debian.org

Package: suidmanager
Version: 0.18

[This report also goes to the bugtraq mailing list.]

/usr/bin/suidexec will execute arbitrary commands as root,
as soon as just _one_ suid root shell script can be found
on the system: Just invoke

         /usr/bin/suidexec <your program> /path/to/script

- it will happily execute your program with euid =3D 0. This
is completely sufficient for doing arbitrary damage on the
system.

Additionally, suidexec will fail with shells which close
all but the "standard" file descriptorson startup:
/proc/self/fd/<N> (which is the file descriptor suidexec
has opened for the shell script in question) will have
vanished after this.  I am actually considering this a
feature, as it avoids some of the $HOME/.cshrc related
standard exploits.

SOLUTION: Just drop suidexec from the distribution. Trying
to do setuid shell scripts is almost always a bad idea. If
you absolutely need such things, use sudo.

-- System Information
Debian Release: 2.0 (frozen)
Kernel Version: Linux sobolev 2.0.33 #16 Sun Apr 19 23:48:02 MEST 199=
8 i586 unknown

Versions of the packages suidmanager depends on:
libc6   Version: 2.0.7pre1-4


----- End forwarded message -----

--
Thomas Roessler =B7 74a353cc0b19 =B7 dg1ktr =B7 http://home.pages.de/=
~roessler/
     2048/CE6AC6C1 =B7 4E 04 F0 BC 72 FF 14 23 44 85 D1 A1 3B B0 73 C=
1

-- 
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------

To unsubscribe: mail -s unsubscribe test-list-request@redhat.com < /dev/null

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей 		Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру