On Fri, Oct 21, 2016 at 2:02 PM, Mick <michaelkintz...@gmail.com> wrote: > > I haven't looked into exploits for this. At a practical level, what will it > take to compromise a PC? >
You need to be able to run arbitrary code as a non-privileged user that has read-access to a file whose modification would allow elevation of privileges, on a read-write mounted filesystem. For example, somebody with shell access to your system could edit a SUID binary to obtain a root shell. Or they could edit any number of config files in /etc to cause code to be run as root, and so on. In general it is pretty easy to exploit in any multi-user scenario. It is a privilege escalation vulnerability, so somebody needs to already be running non-privileged code on your host. On some more "exotic" configurations like android where all the suid and configuration stuff is mounted read-only and even read access tends to be limited cross-user the opportunity for attacks is much smaller. I'm not sure how hardening like SELinux interacts with this. I'm not sure if it would prevent modification of the files. It could limit some of the impact of execution of those files, since you'd probably be running as root in a more limited security context. I suspect that containers wouldn't help a great deal, since you could get root inside the container, and if you have root inside the container then you can probably get whatever user that is equivalent to outside the container, and if that isn't root on the host you could use the same attack to obtain root on the host. Note, I'm not an expert on such matters, but this is probably not far off the mark. -- Rich
