[Unionfs] Re: bug allowing user to escalate privileges
Mark Tomich
mtomich at allconnect.com
Wed May 14 13:47:57 EDT 2008
I'm sorry to clutter the list, but here is the same message in
plain-text...I just realized I was composing in HTML, and the digests
ignore HTML...
On Wed, 2008-05-14 at 13:26 -0400, Mark Tomich wrote:
> Sorry, I failed to mention I've tested this on 2.1.11 and 2.3.3 and it
> happens on both.
>
> On Wed, 2008-05-14 at 11:58 -0400, Mark Tomich wrote:
> >
> > My root filesystem is unionfs which combines a mounted squashfs
> > image with an initially empty, read-write tmpfs. In this setup, an
> > unprivileged user is permitted to modify (for instance) /etc/passwd
> > (uid=0, gid=0, mode=644), this modified file is saved in the
> > read-write branch, and then the user is not permitted to modify the
> > file further (i.e. additional attempts by the unprivileged user to
> > modify the file would result in the proper response of "permission
> > denied"). If a user were to use this to edit /etc/sudoers, he could
> > easily exploit this bug to grant himself unlimited system access.
> >
> > I'm guessing I'm not the only one out there who has a setup
> > rather like this, so I'm hoping somebody else out there could help
> > me verify this bug.
> >
> > Thanks,
> > Mark Tomich
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://www.fsl.cs.sunysb.edu/pipermail/unionfs/attachments/20080514/ca46402d/attachment.bin
More information about the unionfs
mailing list