[PATCH] Install customization packages left for us by a USB key.
C. Scott Ananian
cscott at laptop.org
Fri Mar 7 16:41:30 EST 2008
On Fri, Mar 7, 2008 at 12:00 PM, Michael Stone <michael at laptop.org> wrote:
> On Fri, Mar 07, 2008 at 10:11:06AM -0500, C. Scott Ananian wrote:
> > Classic privilege-escalation attack.
> /, /home, and /home/olpc, are only writable by uids 0 and 500. Both uids
> 0 and 500 have direct access to uid 0. Therefore, if Mallory can affect
> what files are pointed to by $PKGDIR, then she already had access to uid
> 0. Is there a more subtle privilege escalation attack that I missed?
Yes. The presence of this hook turns the ability to *write files* as
UID 500 into the ability to *execute code* as UID 0. These
permissions should not be identical, and where they are (for example,
in so far as we source scripts from /home/olpc instead of parsing
non-executable configuration files) I believe this to be a flaw in our
security. A subtle version of this attack would be to have an
attacker write /home/olpc/.bashrc, which would be invoked when the
child launched Terminal; we should perhaps consider passing
--noprofile to bash in Terminal to mitigate this risk.
I am also very concerned about the number of activities running as UID
500, but I think that's off-topic, and on the schedule of
things-to-be-fixed at any rate.
( http://cscott.net/ )
More information about the Devel