On Mon, Jan 24, 2000 at 02:55:42PM -0600, Brock Sides wrote: > Whereas majordomo 1.94.5 does fix the bug in resend, discovered by Brock > Tellier, that permits execution of arbitrary code as user majordomo, it > apparently does not fix the other bug in the script majordomo, that > permits execution of arbitrary config files as user majordomo: There are a number of ways to get majordomo to execute your perl code. I mailed the developers a list of things I consider insecure (like being able to give it a list name of ../../../../tmp/foo, and it'll create /tmp/foo as majordomo). Other cool things include wrapper config-test <your perl script file here> You see, the recommended installation doesn't even distinguish between debugging and production code -- anybody can run anything in the majordomo directory with majordomo privs. Another candidate is archive2.pl which has loads of funny options. At least let's you write arbitrary files as user majordomo. Your /usr/lib/majordomo directory owned by majordomo? Great--trojan the wrapper binary and gain group daemon privilege from sendmail. Their response to this has been that you should install wrapper without world execute bit. On a sendmail system this means you need to make it owned by group daemon so that sendmail can run it (provided you run it from /etc/aliases): chmod root.daemon wrapper chmod 4550 wrapper If you think about it, this makes daemon and majordomo accounts interchangeable. If I break daemon, I can become majordomo because of all the holes in it. If I can become majordomo, I can also become daemon--I just have to replace the wrapper program with my own binary (the majordomo directory is owned by majordomo in the default install). I consider this broken, but I haven't been able to get more out of them. That and the license that basically keeps us from shipping a modified majordomo makes me seriously think about whether we shouldn't just drop it altogether. Olaf -- Olaf Kirch | --- o --- Nous sommes du soleil we love when we play okirat_private | / | \ sol.dhoop.naytheet.ah kin.ir.samse.qurax okirat_private +-------------------- Why Not?! ----------------------- UNIX, n.: Spanish manufacturer of fire extinguishers.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:31:26 PDT