[Pkg-xfce-devel] Bug#639151: Bug#639151: Bug#639151: Bug#639151: Bug#639151: Local privilege escalation

Yves-Alexis Perez corsac at debian.org
Fri Aug 26 11:24:42 UTC 2011

(droppping oss-sec in order to not be too noisy)

On ven., 2011-08-26 at 10:58 +0200, Yves-Alexis Perez wrote:
> > You probably dont take into account the chown() that happens in lightdm.
> > Just unlink the created ~/.dmrc or ~/.Xauthority files after creation and make a symlink
> > to /etc/passwd to chown it to yourself.
> The chown will be applied to the symlink, not the target. I've tried to
> make .Xauthority a symlink to a root-owned file and the destination was
> indeed destroyed, but it's still root-owned. 

Ok that's wrong, chown() is supposed to dereference symlinks, so I'm not
sure why the target file wasn't chown()ed in my case.

I've tried replacing .dmrc by a symlink to a root-owned file and, in
that case:

* the target file disappeared
* the symlink disappeared
* a new .dmrc file was written, belonging to my user

so the net result is that you can simply erase any root-owned file in
that case (but not overwrite it with arbitrary content, afaict).

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/pkg-xfce-devel/attachments/20110826/0cdc4914/attachment.pgp>

More information about the Pkg-xfce-devel mailing list