[Pkg-xfce-devel] Bug#639151: [oss-security] Re: Bug#639151: Bug#639151: Bug#639151: Local privilege escalation

[Yves-Alexis Perez]

On ven., 2011-08-26 at 10:58 +0200, Yves-Alexis Perez wrote:
> > However I didnt dig deep enough into it to write an exploit as I dont have
> > a working lightdm setup. The correct behavior is to temporarily drop euid/fsuid
> > to that of the user if doing anything with his files.
> 
> Yeah, I'm currently cooking patches doing that, though they'll need
> review before apply. 

Would something like:

diff --git a/src/dmrc.c b/src/dmrc.c
index bff1da8..9f38faf 100644
--- a/src/dmrc.c
+++ b/src/dmrc.c
@@ -80,11 +80,25 @@ dmrc_save (GKeyFile *dmrc_file, const gchar *username)
     /* Update the users .dmrc */
     if (user)
     {
+      /* write the file as the user itself */
+      pid_t pid;
+      pid = fork();
+
+      if (pid == 0)
+      {
+        if (setuid (user_get_uid(user)) < 0)
+        {
+          g_warning("Error changing uid for %s: %s", username, g_strerror(errno));
+          _exit(EXIT_FAILURE);
+        }
         path = g_build_filename (user_get_home_directory (user), ".dmrc", NULL);
         g_file_set_contents (path, data, length, NULL);
-        if (getuid () == 0 && chown (path, user_get_uid (user), user_get_gid (user)) < 0)
-            g_warning ("Error setting ownership on %s: %s", path, strerror (errno));
         g_free (path);
+        _exit(EXIT_SUCCESS);
+
+      }
+      if (pid > 0)
+        wait(NULL);
     }
 
     /* Update the .dmrc cache */

do the job (untested, it's more like a RFC right now).

Regards,
-- 
Yves-Alexis
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/pkg-xfce-devel/attachments/20110826/b28835f6/attachment-0001.pgp>