On Thu, 15 Aug 2002 22:13:35 +0200, Ruben Porras <nahoo82 telefonica net> said:
> Thanks, it help me a lot. The only reason for this question is that I'm
> writing a program to configure lilo, so I need to have permisions to
> write lilo.conf and execute lilo. Only for that, after this I can give
> away the permisions.
>
> Is this really dangerous? I mean, is posible to exploit this? the time
> the program needs the setuid are only 2 or 3 seconds.
You might want to ask yourself why you want a non-root user screwing
around with the contents of lilo.conf - that RIGHT THERE is a security
hole, as they can add a stanza like this:
image=/boot/vmlinuz-2.4.18-5
label=my-r00ter
initrd=/boot/initrd-2.4.18-5.img
read-only
root=/dev/hda6
append="single"
Game over at next reboot. ;)
Also, note that many of the attacks listed can be set up *in advance* by
an attacker (like most "follows symlink" bugs, for example).
Other attacks can be launched at will - remember that the attacker can set
up a mangled runtime environment and then exec() your program to attack it.
/Valdis
Attachment:
pgp57ALco6yWt.pgp
Description: PGP signature