I believe I've found a bug in Unionfs which can be exploited by an unprivileged user to escalate their privileges.
My root filesystem is unionfs which combines a mounted squashfs image with an initially empty, read-write tmpfs. In this setup, an unprivileged user is permitted to modify (for instance) /etc/passwd (uid=0, gid=0, mode=644), this modified file is saved in the read-write branch, and then the user is not permitted to modify the file further (i.e. additional attempts by the unprivileged user to modify the file would result in the proper response of "permission denied"). If a user were to use this to edit /etc/sudoers, he could easily exploit this bug to grant himself unlimited system access. I'm guessing I'm not the only one out there who has a setup rather like this, so I'm hoping somebody else out there could help me verify this bug. Thanks, Mark Tomich
signature.asc
Description: This is a digitally signed message part
_______________________________________________ unionfs mailing list: http://unionfs.filesystems.org/ unionfs@mail.fsl.cs.sunysb.edu http://www.fsl.cs.sunysb.edu/mailman/listinfo/unionfs