[Plash] Re: Plash 1.16 - possible security hole

plash

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Plash] Re: Plash 1.16 - possible security hole

From:	Richard Thrippleton
Subject:	[Plash] Re: Plash 1.16 - possible security hole
Date:	Tue, 2 Jan 2007 04:18:50 +0000
User-agent:	Mutt/1.5.13 (2006-08-11)

On Fri Dec 29 12:02, Mark Seaborn wrote:
> Richard Thrippleton <address@hidden> wrote:
> 
> This was fixed in version 1.17.  Specifically, in SVN revision 253.
> Plash now refuses to set the setuid/setgid bits on the sandboxed
> program's behalf.  Looks like I missed this change when updating the
> changelog from the SVN log; I'll add it in now.
Good, glad it got spotted :-).
In related news, I think there's possibly another bug relating to hostile local
users + compromised sandboxed applications. It relates to hardlinks, and has
been verified in 1.17.
The hostile local user creates a hardlink in /tmp pointing to ~victim/.bashrc .
The victim's confined application, though it has little access to files in ~,
can compromise ~/.bashrc via the hardlink. It's reasonable that a confined
application can read/write tmp, and that a hostile local user can hardlink to
the victim's .bashrc; homedir's without world-search permission are rare.

Can you confirm?

Richard

[Prev in Thread]

Current Thread

[Next in Thread]

[Plash] Re: Plash 1.16 - possible security hole, Richard Thrippleton <=
- [Plash] Re: Plash 1.16 - possible security hole, Mark Seaborn, 2007/01/04
  - [Plash] Re: Plash 1.16 - possible security hole, Richard Thrippleton, 2007/01/12
    - Re: [Plash] Re: Plash 1.16 - possible security hole, David Hopwood, 2007/01/13
    - Re: [Plash] Re: Plash 1.16 - possible security hole, John McCabe-Dansted, 2007/01/14

Next by Date: [Plash] Re: Plash 1.16 - possible security hole
Next by thread: [Plash] Re: Plash 1.16 - possible security hole
Index(es):
- Date
- Thread