[PATCH] Install customization packages left for us by a USB key.

C. Scott Ananian cscott at laptop.org
Fri Mar 7 16:41:30 EST 2008

On Fri, Mar 7, 2008 at 12:00 PM, Michael Stone <michael at laptop.org> wrote:
> On Fri, Mar 07, 2008 at 10:11:06AM -0500, C. Scott Ananian wrote:
>  > Classic privilege-escalation attack.
>  /, /home, and /home/olpc, are only writable by uids 0 and 500. Both uids
>  0 and 500 have direct access to uid 0. Therefore, if Mallory can affect
>  what files are pointed to by $PKGDIR, then she already had access to uid
>  0. Is there a more subtle privilege escalation attack that I missed?

Yes.  The presence of this hook turns the ability to *write files* as
UID 500 into the ability to *execute code* as UID 0.  These
permissions should not be identical, and where they are (for example,
in so far as we source scripts from /home/olpc instead of parsing
non-executable configuration files) I believe this to be a flaw in our
security.  A subtle version of this attack would be to have an
attacker write /home/olpc/.bashrc, which would be invoked when the
child launched Terminal; we should perhaps consider passing
--noprofile to bash in Terminal to mitigate this risk.

I am also very concerned about the number of activities running as UID
500, but I think that's off-topic, and on the schedule of
things-to-be-fixed at any rate.

                         ( http://cscott.net/ )

More information about the Devel mailing list