RemoveSETUID feature (Was: Summary/Minutes from today's FESCo meeting (2010-10-26) NEW TIME!)
i.grok at comcast.net
i.grok at comcast.net
Tue Dec 21 23:52:10 UTC 2010
On Tue, Dec 21, 2010 at 10:37:44PM +0100, Miloslav Trmač wrote devel:
> Colin Walters píše v Út 21. 12. 2010 v 11:47 -0500:
> > "But they still have uid 0, which typical system installation allows
> > root to do things. For example, /bin/sh is 0755 and /bin is also 0755
> > perms. A disarmed root process can still trojan a system. But what if
> > we got rid of all the read/write permissions for root?"
> >
> > So...right, "we can do these small changes, and then if we do this BIG
> > CHANGE, it all works!". But this feature doesn't include BIG CHANGE,
> > and there are no plans to, right?
> No. The original plans didn't count with the fact that changing
> permissions by owner does not require any capabilities either.
>
> If an attacker were controlling a process running with uid 0 and no
> capabilities at all, and /bin/sh were 0555, nothing prevents the
> attacker from chmod()ing /bin/sh to 0755 and overwriting it. This makes
> any attempts to change the file permissions rather pointless.
Ok, so who says that the files must be owned by root? Make them owned by
some other user -- say, bin? (or does that have another use that my
google search isn't coming up with?)
More information about the devel
mailing list