plash
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Plash] Re: Plash 1.16 - possible security hole


From: Mark Seaborn
Subject: [Plash] Re: Plash 1.16 - possible security hole
Date: Fri, 29 Dec 2006 12:02:00 +0000 (GMT)

Richard Thrippleton <address@hidden> wrote:

> I'm fairly confident that I've discovered a security hole in plash that allows
> sandboxed programs to illicitly grant access to the parent user's (that is, 
> the
> user invoking pola-run) account to other users on the local system.
> I invoke a shell in pola-run, and give it full access to /tmp/ (which seems
> reasonable). From within that confined shell, I cp a binary into /tmp/ , and
> chmod u+s  it. Then any other user in the system can execute this setuid 
> binary
> to become the parent user.
> I've reproduced this bug to my satisfaction on 1.16, and I didn't see mention
> of it in the 1.17 release notes. Let me know if you're able to reproduce it.

This was fixed in version 1.17.  Specifically, in SVN revision 253.
Plash now refuses to set the setuid/setgid bits on the sandboxed
program's behalf.  Looks like I missed this change when updating the
changelog from the SVN log; I'll add it in now.

Cheers,
Mark




reply via email to

[Prev in Thread] Current Thread [Next in Thread]