I believe I've found a bug in Unionfs which can be exploited by an unprivileged user to escalate their privileges.
My root filesystem is unionfs which combines a mounted squashfs
image with an initially empty, read-write tmpfs. In this setup, an
unprivileged user is permitted to modify (for instance) /etc/passwd
(uid=0, gid=0, mode=644), this modified file is saved in the read-write
branch, and then the user is not permitted to modify the file further
(i.e. additional attempts by the unprivileged user to modify the file
would result in the proper response of "permission denied"). If a user
were to use this to edit /etc/sudoers, he could easily exploit this bug
to grant himself unlimited system access.
I'm guessing I'm not the only one out there who has a setup rather
like this, so I'm hoping somebody else out there could help me verify
this bug.
Thanks,
Mark Tomich
signature.asc
Description: This is a digitally signed message part
_______________________________________________ unionfs mailing list: http://unionfs.filesystems.org/ unionfs@mail.fsl.cs.sunysb.edu http://www.fsl.cs.sunysb.edu/mailman/listinfo/unionfs
