capabilities and privilege escalation

Robert Connolly robert at linuxfromscratch.org
Sun Aug 21 00:38:30 PDT 2011


I found an interesting paper about Linux capabilities and privilege 
escalation:
http://dl.packetstormsecurity.net/papers/attack/exploiting_capabilities_the_dark_side.pdf

It explains how some capabilities can lead to a root shell. I commented out 
(removed) the capabilities for Shadow and Util-linux-ng because of a temp file 
race condition...

Basically, umount, passwd, and other programs which create temporary files will 
create that file as the regular user (unless the program is suid), which allows 
the regular user to manipulate files such as /etc/mtab or /etc/shadow.

For the moment suid-root is safer, but /bin/ping can keep using capabilities 
safely.

robert
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.linuxfromscratch.org/pipermail/hlfs-dev/attachments/20110821/867495f1/attachment.sig>


More information about the hlfs-dev mailing list