[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: su vulnerability on coreutils 6.9 (64-bit Linux)
|
From: |
Bob Proulx |
|
Subject: |
Re: su vulnerability on coreutils 6.9 (64-bit Linux) |
|
Date: |
Thu, 25 Sep 2008 15:41:06 -0600 |
|
User-agent: |
Mutt/1.5.13 (2006-08-11) |
Brian Biswas wrote:
> I have built the coreutils 6.9 package (the latest) on a 64-bit x86
> Linux system (Linux 2.6).
What operating system are you using? 64-bit with a Linux 2.6 kernel
could mean any one of a number of different systems. And x86 implies
a 32-bit system so you probably mean amd64 (aka x86-64).
> If as myself (not root) I type:
> % su
> I become root. No password asked!
I cannot recreate this problem on my 64-bit Debian GNU/Linux system.
I feel that this is more likely to be a PAM (plugable authentication
modules) configuration issue than an su issue. (Or perhaps some
confusion over the use of fakeroot.)
Please verify that you are running your newly compiled su and not the
system supplied su. Please verify the version of su. Verify your
user id before and after using 'id'. Something like the following
commands should produce some useful information.
type su
ls -l $(type -p su)
su --version
id
strace -o /tmp/su.strace.out su # will fail because strace isn't setuid
su
id
ls -ld /
touch /permtestfile
rm /permtestfile
How did you configure coreutils? Compress the config.log file with
'gzip' or similar and send it to the mailing list. (The config.log
file is too big to send without compression.)
> Note: This software resides in AFS space. If I build it locally, the
> problem does not occur.
Can you share with us how you configured and compiled coreutils? Your
comments on compiling "locally" or "in AFS space" are not clear.
Bob