[ http://www.rootshell.com/ ] Date: Tue, 28 Apr 1998 15:28:54 +0200 From: Thomas Roessler Subject: [Debian 2.0] /usr/bin/suidexec gives root access Executive summary: /usr/bin/suidexec gives every user a root shell. Remove it. tlr ----- Forwarded message from Thomas Roessler ----- Date: Tue, 28 Apr 1998 15:21:17 +0200 From: Thomas Roessler Subject: suidmanager: SECURITY BREACH: /usr/bin/suidexec gives root access to every user on the system To: submit@bugs.debian.org Package: suidmanager Version: 0.18 [This report also goes to the bugtraq mailing list.] /usr/bin/suidexec will execute arbitrary commands as root, as soon as just _one_ suid root shell script can be found on the system: Just invoke /usr/bin/suidexec /path/to/script - it will happily execute your program with euid = 0. This is completely sufficient for doing arbitrary damage on the system. Additionally, suidexec will fail with shells which close all but the "standard" file descriptorson startup: /proc/self/fd/ (which is the file descriptor suidexec has opened for the shell script in question) will have vanished after this. I am actually considering this a feature, as it avoids some of the $HOME/.cshrc related standard exploits. SOLUTION: Just drop suidexec from the distribution. Trying to do setuid shell scripts is almost always a bad idea. If you absolutely need such things, use sudo. -- System Information Debian Release: 2.0 (frozen) Kernel Version: Linux sobolev 2.0.33 #16 Sun Apr 19 23:48:02 MEST 1998 i586 unknown Versions of the packages suidmanager depends on: libc6 Version: 2.0.7pre1-4 ----- End forwarded message ----- -- Thomas Roessler · 74a353cc0b19 · dg1ktr · http://home.pages.de/~roessler/ 2048/CE6AC6C1 · 4E 04 F0 BC 72 FF 14 23 44 85 D1 A1 3B B0 73 C1 ------------------------------------------------------------------------- Date: Wed, 29 Apr 1998 06:45:19 +1100 From: Russell Coker - mailing lists account Subject: Re: [Debian 2.0] /usr/bin/suidexec gives root access >Executive summary: /usr/bin/suidexec gives every user a >root shell. Remove it. Also change the suidexec line in /etc/suid.conf to the following so it never gets the SUID bit again: suidmanager /usr/bin/suidexec root root 755 ^^^^ The default is 4755. --- Vote 1; Claudia Christian. http://www.worldcharts.nl/xindex.html ------------------------------------------------------------------------- Date: Tue, 28 Apr 1998 14:32:54 -0700 From: Joey Hess Subject: Re: [Debian 2.0] /usr/bin/suidexec gives root access Russell Coker - mailing lists account wrote: > >Executive summary: /usr/bin/suidexec gives every user a > >root shell. Remove it. > > Also change the suidexec line in /etc/suid.conf to the following so it never > gets the SUID bit again: suidmanager /usr/bin/suidexec root root 755 > ^^^^ > The default is 4755. A simpler fix is to just upgrade to suidmanager 0.19 (from ftp://ftp1.us.debian.org/debian/Incoming/suidmanager_0.19_all.deb), which removes the suidexec program entirely. -- see shy jo