[<prev] [next>] [day] [month] [year] [list]
Message-ID: <200503222211.j2MMBjDJ010506@pisa.maths.usyd.edu.au>
Date: Wed, 23 Mar 2005 09:11:45 +1100
From: psz@...hs.usyd.edu.au
To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Subject: root-equivalent groups
Most UNIX/Linux installations have some groups (or users) whose members may
be able to become root, for example:
Group What Do
bin /usr/bin create trojan
disk /dev/hda raw write and create setuid root
kmem /dev/kmem read root password
shadow /etc/shadow crack root password
staff /usr/local/bin create trojan
tape /dev/st0 read confidential backup tape
tty /dev/tty add keystrokes, run any code
Often there are no users in these groups nor setgid binaries, so this may
not matter; and in fact be useless, could be owned by root instead. Group
staff is probably special in that administrators may add users to that
group, thinking that this is a lesser privilege than root.
Even in the absence of users in the group, it may be possible for attackers
to "get" that group, via become-any-group-but-root bugs. Such bugs are
quite common: when a group of machines share writable (e.g. user home)
directories via NFS exported from somewhere with default root-squash,
getting root on any one machine gives precisely that on all others of the
group. There have been "genuine" such bugs also e.g. in sendmail.
Please ensure that you are safe: review your use of root-equivalent groups,
file ownerships, and NFS configurations.
For some more discussion please see http://bugs.debian.org/299007 .
Cheers,
Paul Szabo psz@...hs.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of Sydney Australia
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists