[prev in list] [next in list] [prev in thread] [next in thread] 

List:       debian-devel
Subject:    Re: setuid/setgid binaries contained in the Debian repository.
From:       Goswin von Brederlow <brederlo () informatik ! uni-tuebingen ! de>
Date:       2003-08-11 15:03:02
[Download RAW message or body]

Matt Zimmerman <mdz@debian.org> writes:

> On Mon, Aug 11, 2003 at 04:00:40PM +0200, Emile van Bergen wrote:
> 
> > On Mon, Aug 11, 2003 at 09:28:42AM -0400, Matt Zimmerman wrote:
> > > setuid results in even more problems than setgid.  Given access to the
> > > game uid, the user can modify the wrapper program (because they own it)
> > > and from that point forward, any user who runs the game is compromised.
> > 
> > The point is that the user doesn't get control over the game uid, because
> > the setuid + wrapper that sets the real uid, etc. provides a barrier to
> > the invoking user. We have to trust such barriers; they are required in
> > the unix design.
> > 
> > If a user could make any setuid binary do arbitrary things, no matter
> > whether it's correctly written, then it's a kernel bug and we are in much,
> > much bigger trouble.
> 
> I don't follow.  The wrapper is running with uid games, and it exec()s the
> actual game.  So the game is running with uid games, exactly as if the game
> itself were setuid, and if the game is exploited, uid games is compromised
> (and so is the wrapper).
> 
> The only barrier I see is that it would clean the environment variables.
> Yes, this is a popular attack vector, but it is by no means the only one.

The wrapper couldbe setuid root and drop to game.

But I rather have some game exploits than a root exploit due to a
buggy wrapper.

MfG
        Goswin


-- 
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

[prev in list] [next in list] [prev in thread] [next in thread]