Comment 83 for bug 13795

Message-Id: <email address hidden>
Date: Tue, 22 Mar 2005 15:57:35 +1100
From: <email address hidden>
To: <email address hidden>
Cc: <email address hidden>, <email address hidden>
Subject: Re: Bug#299007: base-files: Insecure PATH

Matt,

>> On my Debian systems, I see:
>> crw-r----- 1 root kmem 1, 2 Nov 13 2002 kmem
>> with read access only. Does that still give you root ...
>
> Read-only access to kernel memory should be sufficient to obtain passwords,
> including the root password or the password of a root-equivalent user.

Thanks. (Somewhat cumbersome; but you are right.)

>> NFS-mounted (user) files, mounted writable on several machines; attacker
>> gets root on one machine, creates setgid-staff binary, gets root on all.
>> Is not that realistic?
>
> Attacker gets root on one machine, creates setuid root binary, gets root on
> all.

Cannot create setuid-root: the filesystem is exported with default
root_squash. Would need to get root on the exporter for that. In my
scenario getting root on any mounter is sufficient.

(I started to think of this, because my boss suggested that we set a
different root password on the exporter, as needing more security than the
various mounters. Most admins would recognize the need to secure the
exporter, but may not realize that root on the mounter also gives it away.)

>> Should not administrators be warned that giving staff privilege is
>> equivalent to root? Are not they being misled into thinking that staff is
>> somehow less dangerous?
>
> I have already said that I support the removal of these privileges from the
> staff group; we do not disagree on this point.

Yes I noticed your agreement, thanks, and thanks for re-stating it. We seem
to disagree on the urgency only: are there any machines that are currently
affected?

Cheers,

Paul Szabo <email address hidden> http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of Sydney Australia