[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: su vulnerability on coreutils 6.9 (64-bit Linux)
|
From: |
Eric Blake |
|
Subject: |
Re: su vulnerability on coreutils 6.9 (64-bit Linux) |
|
Date: |
Thu, 25 Sep 2008 19:05:56 -0600 |
|
User-agent: |
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.16) Gecko/20080708 Thunderbird/2.0.0.16 Mnenhy/0.7.5.666 |
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
According to Brian Biswas on 9/25/2008 1:13 PM:
> Hi, Eric.
>
> Thanks for the quick response!!
Please keep replies on the list, so that others may chime in.
>
> Yes this is the coreutils 6.9 package.
> If I build the package locally, su works correctly.
>
> If I build it in AFS space, it lets a user become root without asking a
> password!
>
> It looks like a set groups call is failing and then you drop into a root
> shell instead of back to the user shell. This piece of code from su.c,
> I think, is
> where the problem occurs:
>
> change_identity (const struct passwd *pw)
> {
> #ifdef HAVE_INITGROUPS
> errno = 0;
> if (initgroups (pw->pw_name, pw->pw_gid) == -1)
> error (EXIT_FAIL, errno, _("cannot set groups"));
> endgrent ();
> #endif
> if (setgid (pw->pw_gid))
> error (EXIT_FAIL, errno, _("cannot set group id"));
> if (setuid (pw->pw_uid))
> error (EXIT_FAIL, errno, _("cannot set user id"));
> }
>
>
> Here is the strace output:
>
> % strace ./su
> =jenny= strace ./su
> execve("./su", ["./su"], [/* 50 vars */]) = 0
> brk(0) = 0x1666d000
> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)
> = 0x2aaaaaaab000
> uname({sys="Linux", node="jenny.its.unc.edu", ...}) = 0
> access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or
> directory)
> open("/afs/isis/pkg/libpng-127/lib/tls/x86_64/libc.so.6", O_RDONLY) = -1
> ENOENT (No such file or directory)
> stat("/afs/isis/pkg/libpng-127/lib/tls/x86_64", 0x7fffb19b9030) = -1
> ENOENT (No such file or directory)
> open("/afs/isis/pkg/libpng-127/lib/tls/libc.so.6", O_RDONLY) = -1 ENOENT
> (No such file or directory)
> stat("/afs/isis/pkg/libpng-127/lib/tls", 0x7fffb19b9030) = -1 ENOENT (No
> such file or directory)
> open("/afs/isis/pkg/libpng-127/lib/x86_64/libc.so.6", O_RDONLY) = -1
> ENOENT (No such file or directory)
> stat("/afs/isis/pkg/libpng-127/lib/x86_64", 0x7fffb19b9030) = -1 ENOENT
> (No such file or directory)
> open("/afs/isis/pkg/libpng-127/lib/libc.so.6", O_RDONLY) = -1 ENOENT (No
> such file or directory)
> stat("/afs/isis/pkg/libpng-127/lib", 0x7fffb19b9030) = -1 ENOENT (No
> such file or directory)
> open("/afs/isis/pkg/Xaw3d-12/lib/tls/x86_64/libc.so.6", O_RDONLY) = -1
> ENOENT (No such file or directory)
> stat("/afs/isis/pkg/Xaw3d-12/lib/tls/x86_64", 0x7fffb19b9030) = -1
> ENOENT (No such file or directory)
> open("/afs/isis/pkg/Xaw3d-12/lib/tls/libc.so.6", O_RDONLY) = -1 ENOENT
> (No such file or directory)
> stat("/afs/isis/pkg/Xaw3d-12/lib/tls", 0x7fffb19b9030) = -1 ENOENT (No
> such file or directory)
> open("/afs/isis/pkg/Xaw3d-12/lib/x86_64/libc.so.6", O_RDONLY) = -1
> ENOENT (No such file or directory)
> stat("/afs/isis/pkg/Xaw3d-12/lib/x86_64", 0x7fffb19b9030) = -1 ENOENT
> (No such file or directory)
> open("/afs/isis/pkg/Xaw3d-12/lib/libc.so.6", O_RDONLY) = -1 ENOENT (No
> such file or directory)
> stat("/afs/isis/pkg/Xaw3d-12/lib", {st_mode=S_IFDIR|0750, st_size=2048,
> ...}) = 0
> open("/afs/isis/pkg/ncurses-54/lib/tls/x86_64/libc.so.6", O_RDONLY) = -1
> ENOENT (No such file or directory)
> stat("/afs/isis/pkg/ncurses-54/lib/tls/x86_64", 0x7fffb19b9030) = -1
> ENOENT (No such file or directory)
> open("/afs/isis/pkg/ncurses-54/lib/tls/libc.so.6", O_RDONLY) = -1 ENOENT
> (No such file or directory)
> stat("/afs/isis/pkg/ncurses-54/lib/tls", 0x7fffb19b9030) = -1 ENOENT (No
> such file or directory)
> open("/afs/isis/pkg/ncurses-54/lib/x86_64/libc.so.6", O_RDONLY) = -1
> ENOENT (No such file or directory)
> stat("/afs/isis/pkg/ncurses-54/lib/x86_64", 0x7fffb19b9030) = -1 ENOENT
> (No such file or directory)
> open("/afs/isis/pkg/ncurses-54/lib/libc.so.6", O_RDONLY) = -1 ENOENT (No
> such file or directory)
> stat("/afs/isis/pkg/ncurses-54/lib", {st_mode=S_IFDIR|0755,
> st_size=2048, ...}) = 0
> open("/afs/isis/pkg/libpng-105/lib/tls/x86_64/libc.so.6", O_RDONLY) = -1
> ENOENT (No such file or directory)
> stat("/afs/isis/pkg/libpng-105/lib/tls/x86_64", 0x7fffb19b9030) = -1
> ENOENT (No such file or directory)
> open("/afs/isis/pkg/libpng-105/lib/tls/libc.so.6", O_RDONLY) = -1 ENOENT
> (No such file or directory)
> stat("/afs/isis/pkg/libpng-105/lib/tls", 0x7fffb19b9030) = -1 ENOENT (No
> such file or directory)
> open("/afs/isis/pkg/libpng-105/lib/x86_64/libc.so.6", O_RDONLY) = -1
> ENOENT (No such file or directory)
> stat("/afs/isis/pkg/libpng-105/lib/x86_64", 0x7fffb19b9030) = -1 ENOENT
> (No such file or directory)
> open("/afs/isis/pkg/libpng-105/lib/libc.so.6", O_RDONLY) = -1 ENOENT (No
> such file or directory)
> stat("/afs/isis/pkg/libpng-105/lib", {st_mode=S_IFDIR|0750,
> st_size=2048, ...}) = 0
> open("/afs/isis/pkg/tiff-361/lib/tls/x86_64/libc.so.6", O_RDONLY) = -1
> ENOENT (No such file or directory)
> stat("/afs/isis/pkg/tiff-361/lib/tls/x86_64", 0x7fffb19b9030) = -1
> ENOENT (No such file or directory)
> open("/afs/isis/pkg/tiff-361/lib/tls/libc.so.6", O_RDONLY) = -1 ENOENT
> (No such file or directory)
> stat("/afs/isis/pkg/tiff-361/lib/tls", 0x7fffb19b9030) = -1 ENOENT (No
> such file or directory)
> open("/afs/isis/pkg/tiff-361/lib/x86_64/libc.so.6", O_RDONLY) = -1
> ENOENT (No such file or directory)
> stat("/afs/isis/pkg/tiff-361/lib/x86_64", 0x7fffb19b9030) = -1 ENOENT
> (No such file or directory)
> open("/afs/isis/pkg/tiff-361/lib/libc.so.6", O_RDONLY) = -1 ENOENT (No
> such file or directory)
> stat("/afs/isis/pkg/tiff-361/lib", {st_mode=S_IFDIR|0755, st_size=2048,
> ...}) = 0
> open("/etc/ld.so.cache", O_RDONLY) = 3
> fstat(3, {st_mode=S_IFREG|0644, st_size=70294, ...}) = 0
> mmap(NULL, 70294, PROT_READ, MAP_PRIVATE, 3, 0) = 0x2aaaaaaac000
> close(3) = 0
> open("/lib64/libc.so.6", O_RDONLY) = 3
> read(3,
> "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\260\331!\34?\0\0\0"...,
> 832) = 832
> fstat(3, {st_mode=S_IFREG|0755, st_size=1699912, ...}) = 0
> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)
> = 0x2aaaaaabe000
> mmap(0x3f1c200000, 3481848, PROT_READ|PROT_EXEC,
> MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x3f1c200000
> mprotect(0x3f1c34a000, 2093056, PROT_NONE) = 0
> mmap(0x3f1c549000, 20480, PROT_READ|PROT_WRITE,
> MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x149000) = 0x3f1c549000
> mmap(0x3f1c54e000, 16632, PROT_READ|PROT_WRITE,
> MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x3f1c54e000
> close(3) = 0
> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)
> = 0x2aaaaaabf000
> arch_prctl(ARCH_SET_FS, 0x2aaaaaabf220) = 0
> mprotect(0x3f1c549000, 16384, PROT_READ) = 0
> mprotect(0x3f1c01a000, 4096, PROT_READ) = 0
> munmap(0x2aaaaaaac000, 70294) = 0
> brk(0) = 0x1666d000
> brk(0x1668e000) = 0x1668e000
> socket(PF_FILE, SOCK_STREAM, 0) = 3
> fcntl(3, F_GETFL) = 0x2 (flags O_RDWR)
> fcntl(3, F_SETFL, O_RDWR|O_NONBLOCK) = 0
> connect(3, {sa_family=AF_FILE, path="/var/run/nscd/socket"}, 110) = -1
> ENOENT (No such file or directory)
> close(3) = 0
> socket(PF_FILE, SOCK_STREAM, 0) = 3
> fcntl(3, F_GETFL) = 0x2 (flags O_RDWR)
> fcntl(3, F_SETFL, O_RDWR|O_NONBLOCK) = 0
> connect(3, {sa_family=AF_FILE, path="/var/run/nscd/socket"}, 110) = -1
> ENOENT (No such file or directory)
> close(3) = 0
> open("/etc/nsswitch.conf", O_RDONLY) = 3
> fstat(3, {st_mode=S_IFREG|0644, st_size=1696, ...}) = 0
> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)
> = 0x2aaaaaaac000
> read(3, "#\n# /etc/nsswitch.conf\n#\n# An ex"..., 4096) = 1696
> read(3, "", 4096) = 0
> close(3) = 0
> munmap(0x2aaaaaaac000, 4096) = 0
> open("/afs/isis/pkg/Xaw3d-12/lib/libnss_files.so.2", O_RDONLY) = -1
> ENOENT (No such file or directory)
> open("/afs/isis/pkg/ncurses-54/lib/libnss_files.so.2", O_RDONLY) = -1
> ENOENT (No such file or directory)
> open("/afs/isis/pkg/libpng-105/lib/libnss_files.so.2", O_RDONLY) = -1
> ENOENT (No such file or directory)
> open("/afs/isis/pkg/tiff-361/lib/libnss_files.so.2", O_RDONLY) = -1
> ENOENT (No such file or directory)
> open("/etc/ld.so.cache", O_RDONLY) = 3
> fstat(3, {st_mode=S_IFREG|0644, st_size=70294, ...}) = 0
> mmap(NULL, 70294, PROT_READ, MAP_PRIVATE, 3, 0) = 0x2aaaaaaac000
> close(3) = 0
> open("/lib64/libnss_files.so.2", O_RDONLY) = 3
> read(3,
> "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\340\37\0\0\0\0\0\0"...,
> 832) = 832
> fstat(3, {st_mode=S_IFREG|0755, st_size=53880, ...}) = 0
> mmap(NULL, 2139432, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3,
> 0) = 0x2aaaaaac0000
> mprotect(0x2aaaaaaca000, 2093056, PROT_NONE) = 0
> mmap(0x2aaaaacc9000, 8192, PROT_READ|PROT_WRITE,
> MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x9000) = 0x2aaaaacc9000
> close(3) = 0
> mprotect(0x2aaaaacc9000, 4096, PROT_READ) = 0
> munmap(0x2aaaaaaac000, 70294) = 0
> open("/etc/passwd", O_RDONLY) = 3
> fcntl(3, F_GETFD) = 0
> fcntl(3, F_SETFD, FD_CLOEXEC) = 0
> fstat(3, {st_mode=S_IFREG|0644, st_size=2147, ...}) = 0
> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)
> = 0x2aaaaaaac000
> read(3, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 2147
> close(3) = 0
> munmap(0x2aaaaaaac000, 4096) = 0
> open("/proc/sys/kernel/ngroups_max", O_RDONLY) = 3
> read(3, "65536\n", 31) = 6
> close(3) = 0
> socket(PF_FILE, SOCK_STREAM, 0) = 3
> fcntl(3, F_GETFL) = 0x2 (flags O_RDWR)
> fcntl(3, F_SETFL, O_RDWR|O_NONBLOCK) = 0
> connect(3, {sa_family=AF_FILE, path="/var/run/nscd/socket"}, 110) = -1
> ENOENT (No such file or directory)
> close(3) = 0
> socket(PF_FILE, SOCK_STREAM, 0) = 3
> fcntl(3, F_GETFL) = 0x2 (flags O_RDWR)
> fcntl(3, F_SETFL, O_RDWR|O_NONBLOCK) = 0
> connect(3, {sa_family=AF_FILE, path="/var/run/nscd/socket"}, 110) = -1
> ENOENT (No such file or directory)
> close(3) = 0
> open("/etc/group", O_RDONLY) = 3
> fcntl(3, F_GETFD) = 0
> fcntl(3, F_SETFD, FD_CLOEXEC) = 0
> fstat(3, {st_mode=S_IFREG|0644, st_size=668, ...}) = 0
> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)
> = 0x2aaaaaaac000
> lseek(3, 0, SEEK_CUR) = 0
> read(3, "root:x:0:root\nbin:x:1:root,bin,d"..., 4096) = 668
> read(3, "", 4096) = 0
> close(3) = 0
> munmap(0x2aaaaaaac000, 4096) = 0
> setgroups(7, [0, 1, 2, 3, 4, 6, 10]) = -1 EPERM (Operation not
> permitted)
> write(2, "./su: ", 6./su: ) = 6
> write(2, "cannot set groups", 17cannot set groups) =
> 17
> <<<<<------------------------------------
> write(2, ": Operation not permitted", 25: Operation not permitted) =
> 25 <<<<<------------------------------------
> write(2, "\n", 1
> ) = 1
> close(1) = 0
> close(2) = 0
> exit_group(1) = ?
>
- --
Don't work too hard, make some time for fun as well!
Eric Blake address@hidden
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Cygwin)
Comment: Public key at home.comcast.net/~ericblake/eblake.gpg
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkjcNXMACgkQ84KuGfSFAYADjQCffTlnXcr0M6IM4VG7m/dNPK0+
Nh4AoMg0rL/wwid0oYsZm9A/uyMZxHuG
=WrQc
-----END PGP SIGNATURE-----