| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 9 Feb 2004 15:07:38 -0800 (PST) From: "Patrick J. Volkerding" <security@...ckware.com> To: Seth Arnold <sarnold@...ex.com> Cc: bugtraq@...urityfocus.com Subject: Re: Samba 3.x + kernel 2.6.x local root vulnerability -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, 9 Feb 2004, Seth Arnold wrote: > On Mon, Feb 09, 2004 at 10:23:03PM +0100, Michal Medvecky wrote: > > Confirmed to work on all 2.6.x kernels, not confirmed on 2.4.x. > > I haven't got a clue what you're trying to accomplish. If you don't want > a setuid execute, DON'T RUN chmod +s! You don't even need samba to > accomplish this: Note that two machines are involved here, the server (sharing the setuid binary), and the client (the victim, which mounts the share and runs the binary; the attacker must have a local account here). The problem stems from the setuid root smbmnt. When you install Samba from source, /usr/bin/smbmnt is not setuid root by default, but several Linux distributions seem to ship it this way (Slackware does not). With smbmnt setuid root, any user with a local account can gain root if they can set up a Samba server that can be mounted from the victim machine. At the least, if you're going to run smbmnt setuid root, you should make an smbmnt group and only allow group members to execute it. The members of the group could still exploit this hole, but not other users. Pat -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFAKBK+akRjwEAQIjMRAhl3AJ9xL0tWhZuP7poPVhY1tQ4SmKTi4ACfetQm g8ktzk0I4h4q2AyJs67sESY= =49Nk -----END PGP SIGNATURE-----
Powered by blists - more mailing lists