Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Linux :: Discontinued :: krnl15~4.txt

Nasty Linux kernel arg bugs




COMMAND

    kernel

SYSTEMS AFFECTED

    Linux

PROBLEM

    Matthew J. Dainty  found following.   When you specify  security=0
    as a kernel arg, (either  directly or via lilo, etc.),  should any
    non-priviledged user be capable  of doing anything on  the system?
    Matthew was wondering this because he was quite worried that as  a
    non-root  user,  he  could  do  anything  on  the system, (install
    software packages, edit /etc/fstab, etc.).  He was using 2.2.16  &
    0.9.7 BTW, along with ReiserFS and USB patches.

    Christian Grothoff could confirm this  bug on a 2.2.16 with  0.9.7
    (and a removed "static" from fs/lids.c as it was mentioned on this
    list before in order to  compile it).  Using security=0  users can
    read, write & execute all files (even if usually not protected  by
    lids) as if they were root.  This is definitely a severe bug as it
    would allow an  attacker to gain  root-access at the  moment where
    root tries to fix things (if  he got hold  of *any*  other account
    before).

    Christian also  found out  that the  problem is  little worse: you
    don't  need  to  boot  with  security=0,  if you allowed switching
    protections  a  simple  "lidsadm  -S  --  -LIDS_GLOBAL" (+pass) is
    absolutely sufficient  to override  *all* file  protections of the
    system.   It  also  allows  common  users  to kill root processes!
    Chris did not check for  port bindings & other issues  (shm, ipc),
    but he suspects everybody is treated as root (ouch).

    According to Georg Zoeller /lidadm  -S -- -LIDS  seems  to contain
    this bug too, in a way:

        (user2 is a standard non root user!)

        login....
        ....................................................................
        bash$ joe /etc/passwd
        (file is shown as readonly, cannot be modified)
        bash$ su
        Password:
        [root@penguin user]# /sbin/lidsadm -S -- -LIDS
        SWITCH
        enter password:
        [root@penguin user]#su user2
        bash$ joe /etc/passwd
        (file is not read-only, can be modfied)
        bash$ joe /etc/fstab
        (file is not read only, can be modified)
        bash$ ls -l /etc/fstab
        -rw-r--r--    1 root     root          684 Jul 24 16:28 /etc/fstab
        bash$ exit
        [root@penguin user]#exit
        bash$ joe /etc/passwd
        (file is shown as readonly, cannot be modified)
        ......................................................................

    Seems to me that the -LIDS shell does not drop the root privileges
    when switching to non-root accounts.

SOLUTION

    There is patch on LIDS mailing list.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH