Re: the su - user thread [Potential Debian Security Issue]
Hi, Kevin van Haaren wrote: > > if I: > ssh in as a user account > su root have a look at this: [EMAIL PROTECTED]:~$ su Password: debian:/home/ralf# set | grep LOGNAME LOGNAME=ralf debian:/home/ralf# exit [EMAIL PROTECTED]:~$ su - Password: debian:~# set | grep LOGNAME LOGNAME=root "su" != "su -" what about the others? do they have used "su -" oder "su"? bye Ralf
Re: the su - user thread [Potential Debian Security Issue]
At 5:11 PM +1300 1/22/02, Adam Warner wrote: 1. Log in as root 2. su - user 3. startx (running KDE, not GNOME) 4. Click on the Control Center 5. There in the Control Center info box it will state that the user is root! Why does the KDE Control Center think the user is currently root? In contrast the GNOME Control Center properly identifies the username. i've seen similar in reverse. I don't have KDE (or X actually) installed on my boxes, if I: ssh in as a user account su root run set command to list environment, I see: LOGNAME=user I ssh'd as MAIL=/var/mail/user I can't ssh in as root and I'm too lazy to walk downstairs and try the other way around from the console. Is this really a security issue? Does KDE Control Center actually run as root, or just report that it is root? Kevin
Re: the su - user thread [Potential Debian Security Issue]
Florian Weimer wrote: > Adam Warner <[EMAIL PROTECTED]> writes: > > > 1. Log in as root > > 2. su - user > > Does "su -" write a new utmp entry? I don't think so. NO - unfortunately not But an entry in your log-messages exists - but - of course that depends on your personal config... Greetz Christoph -- .-. Ruhr-Universitaet Bochum /v\L I N U XLehrstuhl fuer Biophysik // \\ >Penguin Computing< c/o Christoph Wegener /( )\ Gebaeude ND 04/Nord ^^-^^D-44780 Bochum, GERMANY Tel: +49 (234) 32-25754 Fax: +49 (234) 32-14626 mailto:[EMAIL PROTECTED] http://www.bph.ruhr-uni-bochum.de
Re: the su - user thread [Potential Debian Security Issue]
Adam Warner <[EMAIL PROTECTED]> writes: > 1. Log in as root > 2. su - user Does "su -" write a new utmp entry? I don't think so. -- Florian Weimer[EMAIL PROTECTED] University of Stuttgart http://CERT.Uni-Stuttgart.DE/people/fw/ RUS-CERT +49-711-685-5973/fax +49-711-685-5898
Re: the su - user thread [Potential Debian Security Issue]
Hi, Kevin van Haaren wrote: > > if I: > ssh in as a user account > su root have a look at this: ralf@debian:~$ su Password: debian:/home/ralf# set | grep LOGNAME LOGNAME=ralf debian:/home/ralf# exit ralf@debian:~$ su - Password: debian:~# set | grep LOGNAME LOGNAME=root "su" != "su -" what about the others? do they have used "su -" oder "su"? bye Ralf -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: the su - user thread [Potential Debian Security Issue]
At 5:11 PM +1300 1/22/02, Adam Warner wrote: >1. Log in as root >2. su - user >3. startx (running KDE, not GNOME) >4. Click on the Control Center >5. There in the Control Center info box it will state that the user is >root! > >Why does the KDE Control Center think the user is currently root? In >contrast the GNOME Control Center properly identifies the username. i've seen similar in reverse. I don't have KDE (or X actually) installed on my boxes, if I: ssh in as a user account su root run set command to list environment, I see: LOGNAME=user I ssh'd as MAIL=/var/mail/user I can't ssh in as root and I'm too lazy to walk downstairs and try the other way around from the console. Is this really a security issue? Does KDE Control Center actually run as root, or just report that it is root? Kevin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: the su - user thread [Potential Debian Security Issue]
Florian Weimer wrote: > Adam Warner <[EMAIL PROTECTED]> writes: > > > 1. Log in as root > > 2. su - user > > Does "su -" write a new utmp entry? I don't think so. NO - unfortunately not But an entry in your log-messages exists - but - of course that depends on your personal config... Greetz Christoph -- .-. Ruhr-Universitaet Bochum /v\L I N U XLehrstuhl fuer Biophysik // \\ >Penguin Computing< c/o Christoph Wegener /( )\ Gebaeude ND 04/Nord ^^-^^D-44780 Bochum, GERMANY Tel: +49 (234) 32-25754 Fax: +49 (234) 32-14626 mailto:[EMAIL PROTECTED] http://www.bph.ruhr-uni-bochum.de -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: the su - user thread [Potential Debian Security Issue]
Adam Warner <[EMAIL PROTECTED]> writes: > 1. Log in as root > 2. su - user Does "su -" write a new utmp entry? I don't think so. -- Florian Weimer[EMAIL PROTECTED] University of Stuttgart http://CERT.Uni-Stuttgart.DE/people/fw/ RUS-CERT +49-711-685-5973/fax +49-711-685-5898 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: the su - user thread [Potential Debian Security Issue]
On Wed, 2002-01-23 at 00:35, Preben Randhol wrote: > Adam Warner <[EMAIL PROTECTED]> wrote on 22/01/2002 (10:00) : > > Here's how you can reproduce it (running Debian unstable): > > > > 1. Log in as root > > 2. su - user > > if you here write whoami instead of starting X what does it say? As expected, the correct username. Regards, Adam
Re: the su - user thread [Potential Debian Security Issue]
Adam Warner <[EMAIL PROTECTED]> wrote on 22/01/2002 (10:00) : > Here's how you can reproduce it (running Debian unstable): > > 1. Log in as root > 2. su - user if you here write whoami instead of starting X what does it say? Preben -- () Join the worldwide campaign to protect fundamental human rights. '||} {||' http://www.amnesty.org/
Re: the su - user thread [Potential Debian Security Issue]
On Tue, 2002-01-22 at 23:31, martin f krafft wrote: > also sprach Adam Warner <[EMAIL PROTECTED]> [2002.01.22.0511 +0100]: > > I realise now that I have witnessed this kind of issue before ("In some > > circumstances, it's possible for a non-privileged process to have `root' > > as the login name returned by getlogin.") > > okay, and that does it for me. can you try it with exec: > > > 1. Log in as root > > 2. exec su - user > > > 3. startx (running KDE, not GNOME) > > 4. Click on the Control Center > > 5. There in the Control Center info box it will state that the user is > > root! The info box still says root after using using exec su - user. Well we now know there is a difference between logging in a user and using exec su - user. Regards, Adam
Re: the su - user thread [Potential Debian Security Issue]
also sprach Adam Warner <[EMAIL PROTECTED]> [2002.01.22.0511 +0100]: > I realise now that I have witnessed this kind of issue before ("In some > circumstances, it's possible for a non-privileged process to have `root' > as the login name returned by getlogin.") okay, and that does it for me. can you try it with exec: > 1. Log in as root > 2. exec su - user > 3. startx (running KDE, not GNOME) > 4. Click on the Control Center > 5. There in the Control Center info box it will state that the user is > root! -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^."<*>"|tr "<*> mailto:"; [EMAIL PROTECTED] as i learn the innermost secrets of the people around me, they reward me in many ways to keep me quiet. pgpMrbaGvBn54.pgp Description: PGP signature
Re: the su - user thread [Potential Debian Security Issue]
On Wed, 2002-01-23 at 00:35, Preben Randhol wrote: > Adam Warner <[EMAIL PROTECTED]> wrote on 22/01/2002 (10:00) : > > Here's how you can reproduce it (running Debian unstable): > > > > 1. Log in as root > > 2. su - user > > if you here write whoami instead of starting X what does it say? As expected, the correct username. Regards, Adam -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: the su - user thread [Potential Debian Security Issue]
Adam Warner <[EMAIL PROTECTED]> wrote on 22/01/2002 (10:00) : > Here's how you can reproduce it (running Debian unstable): > > 1. Log in as root > 2. su - user if you here write whoami instead of starting X what does it say? Preben -- () Join the worldwide campaign to protect fundamental human rights. '||} {||' http://www.amnesty.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: the su - user thread [Potential Debian Security Issue]
On Tue, 2002-01-22 at 23:31, martin f krafft wrote: > also sprach Adam Warner <[EMAIL PROTECTED]> [2002.01.22.0511 +0100]: > > I realise now that I have witnessed this kind of issue before ("In some > > circumstances, it's possible for a non-privileged process to have `root' > > as the login name returned by getlogin.") > > okay, and that does it for me. can you try it with exec: > > > 1. Log in as root > > 2. exec su - user > > > 3. startx (running KDE, not GNOME) > > 4. Click on the Control Center > > 5. There in the Control Center info box it will state that the user is > > root! The info box still says root after using using exec su - user. Well we now know there is a difference between logging in a user and using exec su - user. Regards, Adam -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: the su - user thread [Potential Debian Security Issue]
also sprach Adam Warner <[EMAIL PROTECTED]> [2002.01.22.0511 +0100]: > I realise now that I have witnessed this kind of issue before ("In some > circumstances, it's possible for a non-privileged process to have `root' > as the login name returned by getlogin.") okay, and that does it for me. can you try it with exec: > 1. Log in as root > 2. exec su - user > 3. startx (running KDE, not GNOME) > 4. Click on the Control Center > 5. There in the Control Center info box it will state that the user is > root! -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^."<*>"|tr "<*> mailto:"; net@madduck as i learn the innermost secrets of the people around me, they reward me in many ways to keep me quiet. msg05486/pgp0.pgp Description: PGP signature
Re: the su - user thread [Potential Debian Security Issue]
On Tue, Jan 22, 2002 at 05:11:45PM +1300, Adam Warner wrote: > Why does the KDE Control Center think the user is currently root? In > contrast the GNOME Control Center properly identifies the username. Perhaps KDE uses getlogin(2) ? -- Leo Howell M5AKW pgpMRXdtjB22C.pgp Description: PGP signature
Re: the su - user thread [Potential Debian Security Issue]
On Tue, Jan 22, 2002 at 05:11:45PM +1300, Adam Warner wrote: > Why does the KDE Control Center think the user is currently root? In > contrast the GNOME Control Center properly identifies the username. Perhaps KDE uses getlogin(2) ? -- Leo Howell M5AKW msg05485/pgp0.pgp Description: PGP signature
Re: the su - user thread [Potential Debian Security Issue]
On Tue, 2002-01-22 at 05:26, martin f krafft wrote: > this is a proof-of-concept post. it's a FreeBSD exploit, thus it may or > may not have been, be, or will be applicable to Debian Linux or Linux in > general. you have been warned. properly. > > http://www.aerasec.de/security/index.html?id=ae-200201-053&lang=en I realise now that I have witnessed this kind of issue before ("In some circumstances, it's possible for a non-privileged process to have `root' as the login name returned by getlogin.") Here's how you can reproduce it (running Debian unstable): 1. Log in as root 2. su - user 3. startx (running KDE, not GNOME) 4. Click on the Control Center 5. There in the Control Center info box it will state that the user is root! Why does the KDE Control Center think the user is currently root? In contrast the GNOME Control Center properly identifies the username. Regards, Adam
Re: the su - user thread [Potential Debian Security Issue]
On Tue, 2002-01-22 at 05:26, martin f krafft wrote: > this is a proof-of-concept post. it's a FreeBSD exploit, thus it may or > may not have been, be, or will be applicable to Debian Linux or Linux in > general. you have been warned. properly. > > http://www.aerasec.de/security/index.html?id=ae-200201-053&lang=en I realise now that I have witnessed this kind of issue before ("In some circumstances, it's possible for a non-privileged process to have `root' as the login name returned by getlogin.") Here's how you can reproduce it (running Debian unstable): 1. Log in as root 2. su - user 3. startx (running KDE, not GNOME) 4. Click on the Control Center 5. There in the Control Center info box it will state that the user is root! Why does the KDE Control Center think the user is currently root? In contrast the GNOME Control Center properly identifies the username. Regards, Adam -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
the su - user thread
this is a proof-of-concept post. it's a FreeBSD exploit, thus it may or may not have been, be, or will be applicable to Debian Linux or Linux in general. you have been warned. properly. http://www.aerasec.de/security/index.html?id=ae-200201-053&lang=en -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^."<*>"|tr "<*> mailto:"; [EMAIL PROTECTED] you're in college. you've made a mistake. pgpjllpgr8Ggz.pgp Description: PGP signature
the su - user thread
this is a proof-of-concept post. it's a FreeBSD exploit, thus it may or may not have been, be, or will be applicable to Debian Linux or Linux in general. you have been warned. properly. http://www.aerasec.de/security/index.html?id=ae-200201-053&lang=en -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^."<*>"|tr "<*> mailto:"; net@madduck you're in college. you've made a mistake. msg05447/pgp0.pgp Description: PGP signature