The debian-private mailing list leak, part 1. Volunteers have complained about Blackmail. Lynchings. Character assassination. Defamation. Cyberbullying. Volunteers who gave many years of their lives are picked out at random for cruel social experiments. The former DPL's girlfriend Molly de Blanc is given volunteers to experiment on for her crazy talks. These volunteers never consented to be used like lab rats. We don't either. debian-private can no longer be a safe space for the cabal. Let these monsters have nowhere to hide. Volunteers are not disposable. We stand with the victims.
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Root vulnerabilities in Linux

(This is a rewrite of my first post, with summary of the solutions
suggested. )

[ Posted to linux-security, bugtraq, debian-security ]

For linux machines in situations where users have physical access (such as
University labs as is the case in this situation), there are some
vulnerabilities that can allow users to get root even if other precautions
have been taken (disabling floppy drive, locking case shut, etc).

There are three problems:

1: Boot to single user mode
2: Specifify alternate init program
3: Specify alternate root partition

All three rely on passing parameters to LILO on boot.

I'll explain them each in detail and then talk about fixes.

Problem 1: Booting to single-user mode

This problem exists on at least RedHat.  Debian is not vulnerable to this
problem, as discussed below.

One can type the following to LILO and get a root shell:

Linux 1
Linux emergency

This is due to a problem in the /etc/inittab file.  Debian fixes this by
doing:

# What to do in single-user mode.
~~:S:wait:/sbin/sulogin

NOTE: I haven't checked it out, but the other escapes to single-user mode
in RedHat may be an issue too (for instance, if a fsck fails)

Proglem 2: Using an alternate init program
(Originally discussed on the Linux kernel developer's list and pointed out
to me by David Gitchell)

One can say to LILO:

Linux init=/bin/bash

And they will get a root shell immediately.  This is an obvious problem.

Problem 3: Specifying an alternate root partition
(Originally mentioned by Bruce Perens)

One can set the root filesystem to point to a different filesystem other
than the default.  This is somewhat less of a problem since a root
filesystem must have a certain structure to be useful to an attacker;
however, systems with a /tmp *filesystem* (a separate filesystem, not a
directory) could be vulnerable to attacks using this method.

------------
Fixes
------------

Ideally, Linux would adobt a boot loader mechanism similar to that used by
FreeBSD wherein LILO would only load the kernel and the kernel itself
prompts for information (and could be configured to not accept certain
info).  Seeing that this is unlikely to happen, however:

A workaround can be achieved by using PASSWORD and RESTRICT options in
/etc/lilo.conf.

NOTE:  You MUST set your /etc/lilo.conf to mode 0600 and owner root.root;
otherwise everyone on the system will be able to get your LILO password!

Alternatively, to bypass the problem altogether, one could elect to boot
the kernel directly without any kind of loader (this usually works best
with a floppy disk but could be done on a hard drive as well)  While this
is probably the most effective solution, it only works in certain
situations (those where the kernel never needs any command-line
parameters).

John Goerzen




--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-private-request@lists.debian.org . 
Trouble?  e-mail to templin@bucknell.edu .