[SECURITY] Simpleinit root exploit

Donald G. Wilson Jr. wilson at warwick.net
Sun May 26 19:19:24 PDT 2002


Hello. Forgive my errors or transgressions if any.

I subscribed to this list wondering how security problems are handled 
before installing LFS.
I am at a total loss here as to what is being described. I am also to a 
total loss as to the workaround (running xdm).
This is a home linux box that everyone in the family uses (6 yr. old 
prefers kde, 15 yr. old prefers gnome, etc.)
Graphical login managers provide a simple solution to this situation. 
Does this mean I shouldn't bother w/ LFS?
Do these kinds of problems get resolved at a later point, or is it just 
another gearhead deal of running linux?
Presently I run MDK 8.2., was upset i actually spent money on suse 8.0.

I want a clean Linux that is only doing things I told it to do so I 
thought of LFS, but was afraid security issues would be left behind.
Suggestions?
I am interested in security since I have a static IP.
Thank you in advance for your time.

BTW-if any of you desire to flame me for not knowing all the process and 
script stuff, keep it to your self. Your not benefiting the community.
dw


Matthias Benkmann wrote:

>Systems affected:
>Systems using simpleinit (from util-linux) or simpleinit-msb
>
>Summary:
>A security issue has been discovered in simpleinit that permits a local
>(and in some cases even a remote) attacker to execute arbitrary commands
>with root privileges.
>
>Details:
>An open file descriptor refering to /dev/initctl is inherited by
>processes started via bootprog=, finalprog= and ctrlaltdel= lines in
>inittab. This file descriptor can be used to send commands to init
>(including the command to execute a program). If bootprog, finalprog or
>ctrlaltdel specifies a program that accepts data from untrusted sources or
>launches a program that accepts data from untrusted sources, this can be
>exploited to run an arbitrary program with root permissions.
>
>Usually bootprog, finalprog and ctrlaltdel lines start only trusted
>programs (boot scripts) that do not interact with untrusted users. 
>There is one common exception, though: xdm 
>If xdm or any other program that
>allows user logins is started directly or indirectly through bootprog,
>finalprog or ctrlaltdel and if that program does not close its file
>descriptors, then any user who can successfully log in will inherit the
>vulnerable file descriptor.
>
>Notes:
>ttylines (the lines that usually start and respawn gettys) are
>not affected.
>sshd (from openssh-3.1p1) does not seem to be affected, either, even if it
>is started by a boot script. It inherits the vulnerable file descriptor
>but does not pass it on to the processes it starts.
>
>
>Workaround:
>Do not start xdm or other programs that interact with untrusted users from
>the bootprog, finalprog and ctrlaltdel programs and programs started by
>these programs.
>
>Fix:
>A fixed simpleinit-msb is available at 
>
>http://www.winterdrache.de/linux/newboot/index.html
>
>I don't know when this will be fixed in util-linux. The current version
>2.11r is still vulnerable.
>
>MSB
>
>

-- 
--
Donald Wilson
http://www.geocities.com/~donius 



-- 
Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe lfs-security' in the subject header of the message



More information about the lfs-security mailing list