system file ownership
robert at linuxfromscratch.org
Mon Jun 4 07:39:40 PDT 2007
On Monday June 4 2007 03:29:21 am Jan Dvořák wrote:
> Robert Connolly wrote:
> > The libcap-1.10/doc/capability.notes file says it's more secure for root
> > to not own any files on the system. It suggests having a 'system' user,
> > who never logs in, owning everything that root would normally own. This
> > is true to an extent...
> Okay... Some random daemon running as root without root's fs caps gets
> cracked. There is /bin/su owned by root for sure, so he modifies it,
> makes it setuid again and then switches to some random uid and runs
> /bin/su that does what is required.
> Would that work? How do you defend against this, if it does?
Drop CAP_SETGID and CAP_SETUID too. It would work if /bin/su inherits
capabilities, or lack of capabilities.
Root would be able to overwrite /bin/su, but wouldn't be able to use even a
modified /bin/su to elevate it's capabilities.
There are holes in this though. If root has write access on /etc/shadow then
the attacker can add a new user, replace root's password, start sshd, login
as the new user, and su up to root with full caps. So, root can't
own /etc/shadow... /bin/passwd would have to be suid-shadow. I'm not sure
what to do with /usr/sbin/useradd... su to the shadow user to add users? or
make useradd suid-shadow with only root, and shadow, having execute
permission. Either way, a root user without setuid caps wouldn't be able to
add new users, or change anyone's password.
There are probably more holes.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: not available
More information about the hlfs-dev