[Pkg-xfce-devel] Bug#639151: Bug#639151: Bug#639151: Bug#639151: Bug#639151: Local privilege escalation
corsac at debian.org
Fri Aug 26 11:24:42 UTC 2011
(droppping oss-sec in order to not be too noisy)
On ven., 2011-08-26 at 10:58 +0200, Yves-Alexis Perez wrote:
> > You probably dont take into account the chown() that happens in lightdm.
> > Just unlink the created ~/.dmrc or ~/.Xauthority files after creation and make a symlink
> > to /etc/passwd to chown it to yourself.
> The chown will be applied to the symlink, not the target. I've tried to
> make .Xauthority a symlink to a root-owned file and the destination was
> indeed destroyed, but it's still root-owned.
Ok that's wrong, chown() is supposed to dereference symlinks, so I'm not
sure why the target file wasn't chown()ed in my case.
I've tried replacing .dmrc by a symlink to a root-owned file and, in
* the target file disappeared
* the symlink disappeared
* a new .dmrc file was written, belonging to my user
so the net result is that you can simply erase any root-owned file in
that case (but not overwrite it with arbitrary content, afaict).
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 836 bytes
Desc: This is a digitally signed message part
More information about the Pkg-xfce-devel