Bug#416302: su-to-root is not paranoid enough
Package: menu Version: 2.1.33 Severity: normal I think su-to-root could use a bit more paranoia. For instance, sourcing the ~/.su-to-rootrc, while not harmful in itself might be used in conjunction with other bugs to in a local escalation of privileges. Also, PATH is set for text mode, but not X11. Other points needing attention, from #debian-devel: - $IFS - variable quoting echo enter $PRIV passwd: - i can add commands to $PRIV via the command line. - use exec Thanks, Ben -- System Information: Debian Release: 4.0 APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.18-4-k7 Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1) Versions of packages menu depends on: ii dpkg1.13.25 package maintenance system for Deb ii libc6 2.3.6.ds1-13 GNU C Library: Shared libraries ii libgcc1 1:4.1.1-21 GCC support library ii libstdc++6 4.1.1-21 The GNU Standard C++ Library v3 menu recommends no packages. -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#416302: su-to-root is not paranoid enough
On Mon, Mar 26, 2007 at 02:58:39PM -0300, Ben Armstrong wrote: > Package: menu > Version: 2.1.33 > Severity: normal > > I think su-to-root could use a bit more paranoia. For instance, sourcing the > ~/.su-to-rootrc, while not harmful in itself might be used in conjunction with > other bugs to in a local escalation of privileges. Also, PATH is set for > text mode, but not X11. Other points needing attention, from #debian-devel: > > - $IFS > - variable quoting > echo enter $PRIV passwd: > - i can add commands to $PRIV via the command line. > - use exec Hello Ben, What is your attack model ? su-to-root is an unpriviledged shell script. I do not have #debian-devel log at hand. Cheers, -- Bill. <[EMAIL PROTECTED]> Imagine a large blue swirl here. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]