joshat_private posted to bugtraq earlier today with a case whereby modules.dep is set to mode 0666, and thus can be manipulated by a non-root user to cause a common module to load a user-owned evil module. According to his post, Linux kernels from 2.4.3 onwards have a default empty umask, and thus on some distributions that do not explicity set the umask in time, a world-writeable modules.dep is created on bootup. This can be seen as a configuration error, perhaps, but I question whether modprobe should bypass the root-ownership test, which seems like a good idea. I guess there are cases where being able to specify an intentionally-non-root-owned module would be useful, but is that enough of a reason to bypass the security check? -Toby On Tue, 17 Jul 2001, Keith Owens wrote: > modules.dep is a trusted file. root builds it by hand or via a startup > script. If root changes the modules without refreshing modules.dep > then you have GIGO. > > AFAICT you need root to do this, to update files and/or permissions in > /lib/modules. If you can reproduce the problem without requiring root > privileges at some stage and without using depmod -r then it is a bug. > Otherwise "root can destroy a system", this is not news.
This archive was generated by hypermail 2b30 : Tue Jul 17 2001 - 08:16:28 PDT