[Pkg-xfce-devel] Bug#639151: Bug#639151: Bug#639151: Bug#639151: Local privilege escalation

Yves-Alexis Perez corsac at debian.org
Fri Aug 26 08:58:26 UTC 2011

On ven., 2011-08-26 at 10:43 +0200, Sebastian Krahmer wrote:
> Hi,
> You probably dont take into account the chown() that happens in lightdm.
> Just unlink the created ~/.dmrc or ~/.Xauthority files after creation and make a symlink
> to /etc/passwd to chown it to yourself.

The chown will be applied to the symlink, not the target. I've tried to
make .Xauthority a symlink to a root-owned file and the destination was
indeed destroyed, but it's still root-owned.

> However I didnt dig deep enough into it to write an exploit as I dont have
> a working lightdm setup. The correct behavior is to temporarily drop euid/fsuid
> to that of the user if doing anything with his files.

Yeah, I'm currently cooking patches doing that, though they'll need
review before apply.
> The PAM issue that I was curious about was that a pam_start() etc is done
> for the greeter-user (which I expect to be some "lightdm" user)?

> I would expect all pam_ calls are only done for the user who is actually
> about to login. The question that came up to me was whether pam_environment
> from the user would have impact on uid-0 called programs/scripts since
> you transfer the PAM env to the process env.

Yeah, that looks fishy, though I have no idea how it's exactly cooked
that way, we'll have to wait for an answer from Robert.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/pkg-xfce-devel/attachments/20110826/3110aeff/attachment.pgp>

More information about the Pkg-xfce-devel mailing list