lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <200503222211.j2MMBjDJ010506@pisa.maths.usyd.edu.au>
Date: Wed, 23 Mar 2005 09:11:45 +1100
From: psz@...hs.usyd.edu.au
To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Subject: root-equivalent groups


Most UNIX/Linux installations have some groups (or users) whose members may
be able to become root, for example:

	Group	What		Do
	bin	/usr/bin	create trojan
	disk	/dev/hda	raw write and create setuid root
	kmem	/dev/kmem	read root password
	shadow	/etc/shadow	crack root password
	staff	/usr/local/bin	create trojan
	tape	/dev/st0	read confidential backup tape
	tty	/dev/tty	add keystrokes, run any code
	
Often there are no users in these groups nor setgid binaries, so this may
not matter; and in fact be useless, could be owned by root instead. Group
staff is probably special in that administrators may add users to that
group, thinking that this is a lesser privilege than root.

Even in the absence of users in the group, it may be possible for attackers
to "get" that group, via become-any-group-but-root bugs. Such bugs are
quite common: when a group of machines share writable (e.g. user home)
directories via NFS exported from somewhere with default root-squash,
getting root on any one machine gives precisely that on all others of the
group. There have been "genuine" such bugs also e.g. in sendmail.

Please ensure that you are safe: review your use of root-equivalent groups,
file ownerships, and NFS configurations.

For some more discussion please see  http://bugs.debian.org/299007 .

Cheers,

Paul Szabo   psz@...hs.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ