Re: [VULN 4/4] Process auth man-in-the-middle

2021-11-05 Thread Sergey Bugaev
Disclaimer: while I'm a fan of capabilities / object capabilities / capability-based security, and also a "Unix person", I (obviously) wasn't among those who have designed Mach, or Hurd, or Unix. So I cannot speak authoritatively, I can only attempt to share what my understanding is. On Fri, Nov 5

Re: [VULN 4/4] Process auth man-in-the-middle

2021-11-05 Thread William ML Leslie
On Fri, 5 Nov 2021 at 22:17, Sergey Bugaev wrote: > On Fri, Nov 5, 2021 at 1:41 PM Samuel Thibault > wrote: > > > > William ML Leslie, le ven. 05 nov. 2021 21:18:50 +1100, a ecrit: > > > > which makes the root filesystem reauthenticate all of the > > > > processes file descriptors. > > > > > > I

Re: [VULN 4/4] Process auth man-in-the-middle

2021-11-05 Thread Sergey Bugaev
On Fri, Nov 5, 2021 at 1:41 PM Samuel Thibault wrote: > > William ML Leslie, le ven. 05 nov. 2021 21:18:50 +1100, a ecrit: > > > which makes the root filesystem reauthenticate all of the > > > processes file descriptors. > > > > It seems to eliminate a rather convenient method of delegation; a > >

Re: [VULN 4/4] Process auth man-in-the-middle

2021-11-05 Thread William ML Leslie
On Fri, 5 Nov 2021 at 21:41, Samuel Thibault wrote: > William ML Leslie, le ven. 05 nov. 2021 21:18:50 +1100, a ecrit: > > > which makes the root filesystem reauthenticate all of the > > > processes file descriptors. > > > > It seems to eliminate a rather convenient method of delegation; a > > pr

Re: [VULN 4/4] Process auth man-in-the-middle

2021-11-05 Thread Samuel Thibault
William ML Leslie, le ven. 05 nov. 2021 21:18:50 +1100, a ecrit: > > which makes the root filesystem reauthenticate all of the > > processes file descriptors. > > It seems to eliminate a rather convenient method of delegation; a > process opening a descriptor, forking and executing a child, and >

Re: [VULN 4/4] Process auth man-in-the-middle

2021-11-05 Thread Samuel Thibault
William ML Leslie, le ven. 05 nov. 2021 21:18:50 +1100, a ecrit: > I've been meaning to ask: Why does the hurd attempt to re-authenticate open > file descriptors during exec? That's done only when the auth port changes, i.e. uid/gid etc. following a setuid/setgid/etc. trigger. Samuel

Re: [VULN 4/4] Process auth man-in-the-middle

2021-11-05 Thread William ML Leslie
CC list reduced considering I'm going to ask about a slightly different topic. This is fantastic research Sergey, this vuln especially so. On Wed, 3 Nov 2021 at 03:49, Sergey Bugaev wrote: > > To get someone privileged to authenticate to me, I went with the same > exec(/bin/su) trick, which mak

[VULN 4/4] Process auth man-in-the-middle

2021-11-02 Thread Sergey Bugaev
Short description = The use of authentication protocol in the proc server is vulnerable to man-in-the-middle attacks, which can be exploited for local privilege escalation to get full root access to the system. Background: authentication == Here, the word