lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <8ebbd7f50412301956678eaa07@mail.gmail.com>
From: dentonj at gmail.com (Jeffrey Denton)
Subject: /bin/rm file access vulnerability

Nothing new here.  That is one of the problems with DAC systems, the
admin has total control over the system.

With UNIX/Linux, it's even possible for users to delete files from
their home directory even if they are owned by root.  Say for example,
the admin wants to create a zero length .rhosts file to prevent the
user from using that file to open a hole in the system:


username@...tname:~$ ls -l .rhosts
/usr/bin/ls: .rhosts: No such file or directory
username@...tname:~$ su
Password:
root@...tname:/home/username# id
uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy)
root@...tname:/home/username# touch .rhosts
root@...tname:/home/username# ls -l .rhosts
-rw-r--r--  1 root root 0 2004-12-30 20:04 .rhosts
root@...tname:/home/username# exit
exit
username@...tname:~$ id
uid=1000(username) gid=1000(username)
groups=1000(username),10(wheel),11(floppy),17(audio),18(video),19(cdrom)
username@...tname:~$ rm .rhosts
/bin/rm: remove write-protected regular empty file `.rhosts'? y
username@...tname:~$ ls -l .rhosts
/usr/bin/ls: .rhosts: No such file or directory
username@...tname:~$ ls -ld /home/username/
drwx--x--x  59 username username 8192 2004-12-30 20:05 /home/username/

This is not new.  From the book, "Practical UNIX & Internet Security",
2nd Ed., page 116:

"To unlink a file from a directory, you need only have write and
execute access to that directory even if you have no access rights to
the file itself."

Every so often, someone "discovers" this security hole in UNIX/Linux.

To prevent the above from happening, use a MAC or a RBAC system such
as Trusted Solaris.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ