[Pkg-xfce-devel] Bug#639151: Bug#639151: Bug#639151: Local privilege escalation
corsac at debian.org
Wed Aug 24 18:55:12 UTC 2011
On mer., 2011-08-24 at 18:56 +0200, Yves-Alexis Perez wrote:
> On mer., 2011-08-24 at 18:33 +0200, Moritz Muehlenhoff wrote:
> > Sebastian Kramer posted the following to oss-security:
> > ---
> > From: Sebastian Krahmer <krahmer at suse.de>
> > To: oss-security at lists.openwall.com
> > Cc: robert.ancell at canonical.com
> > Subject: [oss-security] lightdm issues
> > Hi,
> > lightdm (0.9.2) which aims to be a xdm replacement seems to
> > fall into the same pitfalls like kdm and gdm recently. There is
> > a lot of uid 0 code creating and chown()ing files in user dirs such as
> > for ~/.dmrc and ~/.Xauthority. Probably more, depending on
> > how the permissions of cache and log directories are set up. For
> > example
> > process_start() also creates and chown()s logfiles on users behalf.
> > There is also one thing that I dont understand about the lightdm
> > user itself and why pam sessions seem to be started for it inside
> > the greeter session code.
> > The xdmcp code seems to be OK so far, after a quick review.
> Yup, I'm on oss-sec so I've seen this and am waiting for Robert answer.
> I guess the proper way to do it would be to move all the user-related
> work *after* the setuid() call and before exec()ing the session
> Not sure how gdm3/xdm/slim handle that but there might be inspiration
> there too.
And, out of curiosity, how would you achieve privilege escalation? You
should be able to erase/rewrite arbitrary files, including /etc/shadow,
but you don't really have control on what's written there.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 836 bytes
Desc: This is a digitally signed message part
More information about the Pkg-xfce-devel