[Pkg-xfce-devel] Bug#639151: Bug#639151: Local privilege escalation
corsac at debian.org
Wed Aug 24 16:56:09 UTC 2011
On mer., 2011-08-24 at 18:33 +0200, Moritz Muehlenhoff wrote:
> Sebastian Kramer posted the following to oss-security:
> From: Sebastian Krahmer <krahmer at suse.de>
> To: oss-security at lists.openwall.com
> Cc: robert.ancell at canonical.com
> Subject: [oss-security] lightdm issues
> lightdm (0.9.2) which aims to be a xdm replacement seems to
> fall into the same pitfalls like kdm and gdm recently. There is
> a lot of uid 0 code creating and chown()ing files in user dirs such as
> for ~/.dmrc and ~/.Xauthority. Probably more, depending on
> how the permissions of cache and log directories are set up. For
> process_start() also creates and chown()s logfiles on users behalf.
> There is also one thing that I dont understand about the lightdm
> user itself and why pam sessions seem to be started for it inside
> the greeter session code.
> The xdmcp code seems to be OK so far, after a quick review.
Yup, I'm on oss-sec so I've seen this and am waiting for Robert answer.
I guess the proper way to do it would be to move all the user-related
work *after* the setuid() call and before exec()ing the session
Not sure how gdm3/xdm/slim handle that but there might be inspiration
More information about the Pkg-xfce-devel