[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20040111013838.F22809@dekadens.coredump.cx>
From: lcamtuf at ghettot.org (Michal Zalewski)
Subject: Fedora/RedHat ConsoleHelper Privileged Access
Preserved
On Sat, 10 Jan 2004, Jonathan A. Zdziarski wrote:
> I noticed running Gnome 2.4 on Fedora that privileged access acquired
> via the console helper (and pam) is preserved after the user logs out
> and back in, for at least an adequate amount of time to log back in and
> retain root privileges.
This problem is inherent to the design of sudo-type credentials caching in
Red Hat's pam_timestamp_check. The observation you've made is not new,
IIRC, and there is some disagreement as to whether this should work this
way - personally, I would say it is a quite pointless and potentially
dangerous feature, but folks at Red Hat probably disagree.
The design is also flawed in many other ways, making it possible to
bypass tty name check (rendering part of the ticketing solution
ineffective and misleading), and providing a method to escalate trivial
file creation races into instant root exploits:
http://cert.uni-stuttgart.de/archive/bugtraq/2003/07/msg00014.html
This was largely ignored by the maintainers, as far as I can tell.
--
------------------------- bash$ :(){ :|:&};: --
Michal Zalewski * [http://lcamtuf.coredump.cx]
Did you know that clones never use mirrors?
--------------------------- 2004-01-11 01:38 --
http://lcamtuf.coredump.cx/photo/current/
Powered by blists - more mailing lists