I have now sent the following to the BugTraq and FullDisclosure mailing lists, see e.g.
http://www.securityfocus.com/archive/1/393997 http://lists.grok.org.uk/pipermail/full-disclosure/2005-March/032804.html Cheers, Paul Szabo [EMAIL PROTECTED] http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of Sydney Australia --- > From psz Wed Mar 23 09:11:45 2005 > To: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk > Subject: root-equivalent groups > > Most UNIX/Linux installations have some groups (or users) whose members may > be able to become root, for example: > > Group What Do > bin /usr/bin create trojan > disk /dev/hda raw write and create setuid root > kmem /dev/kmem read root password > shadow /etc/shadow crack root password > staff /usr/local/bin create trojan > tape /dev/st0 read confidential backup tape > tty /dev/tty add keystrokes, run any code > > Often there are no users in these groups nor setgid binaries, so this may > not matter; and in fact be useless, could be owned by root instead. Group > staff is probably special in that administrators may add users to that > group, thinking that this is a lesser privilege than root. > > Even in the absence of users in the group, it may be possible for attackers > to "get" that group, via become-any-group-but-root bugs. Such bugs are > quite common: when a group of machines share writable (e.g. user home) > directories via NFS exported from somewhere with default root-squash, > getting root on any one machine gives precisely that on all others of the > group. There have been "genuine" such bugs also e.g. in sendmail. > > Please ensure that you are safe: review your use of root-equivalent groups, > file ownerships, and NFS configurations. > > For some more discussion please see http://bugs.debian.org/299007 . > > Cheers, > > Paul Szabo [EMAIL PROTECTED] http://www.maths.usyd.edu.au/u/psz/ > School of Mathematics and Statistics University of Sydney Australia -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
