[SECURITY] Simpleinit root exploit
Donald G. Wilson Jr.
wilson at warwick.net
Sun May 26 19:19:24 PDT 2002
Hello. Forgive my errors or transgressions if any.
I subscribed to this list wondering how security problems are handled
before installing LFS.
I am at a total loss here as to what is being described. I am also to a
total loss as to the workaround (running xdm).
This is a home linux box that everyone in the family uses (6 yr. old
prefers kde, 15 yr. old prefers gnome, etc.)
Graphical login managers provide a simple solution to this situation.
Does this mean I shouldn't bother w/ LFS?
Do these kinds of problems get resolved at a later point, or is it just
another gearhead deal of running linux?
Presently I run MDK 8.2., was upset i actually spent money on suse 8.0.
I want a clean Linux that is only doing things I told it to do so I
thought of LFS, but was afraid security issues would be left behind.
I am interested in security since I have a static IP.
Thank you in advance for your time.
BTW-if any of you desire to flame me for not knowing all the process and
script stuff, keep it to your self. Your not benefiting the community.
Matthias Benkmann wrote:
>Systems using simpleinit (from util-linux) or simpleinit-msb
>A security issue has been discovered in simpleinit that permits a local
>(and in some cases even a remote) attacker to execute arbitrary commands
>with root privileges.
>An open file descriptor refering to /dev/initctl is inherited by
>processes started via bootprog=, finalprog= and ctrlaltdel= lines in
>inittab. This file descriptor can be used to send commands to init
>(including the command to execute a program). If bootprog, finalprog or
>ctrlaltdel specifies a program that accepts data from untrusted sources or
>launches a program that accepts data from untrusted sources, this can be
>exploited to run an arbitrary program with root permissions.
>Usually bootprog, finalprog and ctrlaltdel lines start only trusted
>programs (boot scripts) that do not interact with untrusted users.
>There is one common exception, though: xdm
>If xdm or any other program that
>allows user logins is started directly or indirectly through bootprog,
>finalprog or ctrlaltdel and if that program does not close its file
>descriptors, then any user who can successfully log in will inherit the
>vulnerable file descriptor.
>ttylines (the lines that usually start and respawn gettys) are
>sshd (from openssh-3.1p1) does not seem to be affected, either, even if it
>is started by a boot script. It inherits the vulnerable file descriptor
>but does not pass it on to the processes it starts.
>Do not start xdm or other programs that interact with untrusted users from
>the bootprog, finalprog and ctrlaltdel programs and programs started by
>A fixed simpleinit-msb is available at
>I don't know when this will be fixed in util-linux. The current version
>2.11r is still vulnerable.
Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe lfs-security' in the subject header of the message
More information about the lfs-security