| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <Pine.LNX.4.53.0304072213380.1934@dent.suse.de> From: draht at suse.de (Roman Drahtmueller) Subject: Dangerous permissions in unitedlinux -----BEGIN PGP SIGNED MESSAGE----- Hello Knud, While all of the four UnitedLinux partners Conectiva, SCO, TurboLinux and SuSE have greatly contributed to what UnitedLinux is today, SuSE has the role of the product integrator of UnitedLinux 1.0. I'm answering as head of security at SuSE. > Attached document explains all. > > Rant: People using a product called 'antigen' should be shot, stabbed, and No comment on the rant... [quotes strongly shortened] > According to the vendor "UnitedLinux addresses enterprise customers' > needs for a high quality, low cost, standards-based Linux environment > that enables the widespread adoption of Linux." > II. DESCRIPTION > The folders below /usr/src/packages/ ships with the following permissions: > drwxrwxrwt, which makes it writeable by all users. > III. ANALYSIS > This makes way for planting of rogue source, ultimately leading to a full > system compromise. > IV. DETECTION > UnitedLinux 1.0 (i586) beta3 is found to be vulnerable. Generally, it might be a bad idea to report security related problems in a beta after the product has been released. But anyway: The final UnitedLinux 1.0 products contain the same setup: All directories within /usr/src/packages are world-writeable with the t-flag set (mode 1777). The modes have been set like this intentionally to make it possible for a non-root user to (re)build packages using the command 'rpm --rebuild package.spm'. By consequence, this is a tradeoff: Either you don't provide the modes necessary for non-root package builds, or you take the risk that somebody plants an egg in those directories. > V. WORKAROUND > > Change the permissions on > /usr/src/packages/* and below to something more suitable. We have thought of an easier way than changing the modes manually: vi /etc/sysconfig/security and change PERMISSION_SECURITY from "easy local" to "secure local". Afterwards, either run SuSEconfig or 'chkstat -set /etc/permissions.secure'. > VI. VENDOR FIX > > unknown None. > IX. CREDIT > Knud Erik H?jgaard/kokanin[a]dtors.net Thanks, Roman Drahtm?ller, SuSE Security. - - -- - - | Roman Drahtm?ller <draht@...e.de> // "You don't need eyes to see, | SuSE Linux AG - Security Phone: // you need vision!" | N?rnberg, Germany +49-911-740530 // Maxi Jazz, Faithless | - - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) Comment: SuSE Security iQEVAwUBPpHcGXey5gA9JdPZAQG6wQgAk+vcXCYCeZuF0iH6sh0t+0QoDp0wYuJ6 VC5negBSgrrprlJ94hDP67MlZchN+euLfbaEB2+Ipp7x3g0j1ZDn1ZTlcQ6i6bIM X6J/S+YiBmzBhr21bk2rjKNoQfA7/PXJAuYgHOUQvgN4yKzhVdZ24fuWLQgCDpYA OxQjM1BB4rZmuqrKG5z+Kcb7d+bIrhPn35v5vfKaONwhiDRo0CmIAloV2uds7poy KZb5ua7BFYSS9JwfeUlt9juOsK55vP/aZdO4JPfD0fAol4DWwNyaTmsnNZoQJAfQ KwZEo124SIcEfBpd+3sb72tqPN6V1NegrLnwYtTmrw/IxQZuuN42sQ== =gGrW -----END PGP SIGNATURE-----
Powered by blists - more mailing lists