reassign 504516 general thanks On Tue, Nov 04, 2008 at 08:07:27PM +0200, Milen Rangelov wrote: > Package: libc6 > Version: 2.7-15 > > Hello. I just noticed that the libc6 package included into the unstable and > testing repositories has a misconfiguration that can potentially lead to a > root compromise by any local user that belongs to 'staff' group (or that is > able to write in /usr/local/lib somehow). > > The problem is in that file: > /etc/ld.so.conf.d/libc.conf > > which contains: > # libc default configuration > /usr/local/lib
This is not a misconfiguration, the goal is to be consistent with the default path and the default include path of gcc. > And the /usr/local/lib is writable by users in staff group by default. > > While that group is intended to users that can compile/install software > locally and do not need superuser rights, this thing will eventually grant > them root privs quite easily. Yes, but nothing new. > If I am an intruder and got 'staff' group rights I would: > > * compile a shared library named like some real one in /lib, declare some > function which is declared in the real /lib one which executes arbitrary > code. > * The library should imitate one that a suidroot binary is linked against > * wait until the superuser install a new .deb package or updates the system > (since many .deb packages do a ldconfig in their post-install phase). > * execute the setuid binary and have my arbitrary code run with superuser > privileges. > > I have described a similar scenario there (sorry, it's not in English, but it > should be kinda graspable): > > http://www . gat3way . > eu/index.php?mact=News,cntnt01,detail,0&cntnt01articleid=6&cntnt01returnid=15 > > (cut the spaces in the URL). > Even with etch it was possible to drop a binary in /usr/local/bin and /usr/local/sbin which will then be used by all users, including root. No changes here, you have to trust the users from group staff. -- .''`. Aurelien Jarno | GPG: 1024D/F1BCDB73 : :' : Debian developer | Electrical Engineer `. `' [EMAIL PROTECTED] | [EMAIL PROTECTED] `- people.debian.org/~aurel32 | www.aurel32.net -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
