Executive summary: /usr/bin/suidexec gives every user a root shell. Remove it. tlr ----- Forwarded message from Thomas Roessler <roesslerat_private> ----- Date: Tue, 28 Apr 1998 15:21:17 +0200 From: Thomas Roessler <roesslerat_private> Subject: suidmanager: SECURITY BREACH: /usr/bin/suidexec gives root access to every user on the system To: submitat_private Package: suidmanager Version: 0.18 [This report also goes to the bugtraq mailing list.] /usr/bin/suidexec will execute arbitrary commands as root, as soon as just _one_ suid root shell script can be found on the system: Just invoke /usr/bin/suidexec <your program> /path/to/script - it will happily execute your program with euid = 0. This is completely sufficient for doing arbitrary damage on the system. Additionally, suidexec will fail with shells which close all but the "standard" file descriptorson startup: /proc/self/fd/<N> (which is the file descriptor suidexec has opened for the shell script in question) will have vanished after this. I am actually considering this a feature, as it avoids some of the $HOME/.cshrc related standard exploits. SOLUTION: Just drop suidexec from the distribution. Trying to do setuid shell scripts is almost always a bad idea. If you absolutely need such things, use sudo. -- System Information Debian Release: 2.0 (frozen) Kernel Version: Linux sobolev 2.0.33 #16 Sun Apr 19 23:48:02 MEST 1998 i586 unknown Versions of the packages suidmanager depends on: libc6 Version: 2.0.7pre1-4 ----- End forwarded message ----- -- Thomas Roessler · 74a353cc0b19 · dg1ktr · http://home.pages.de/~roessler/ 2048/CE6AC6C1 · 4E 04 F0 BC 72 FF 14 23 44 85 D1 A1 3B B0 73 C1
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:51:34 PDT