| ▲ | rkeene2 2 hours ago |
| Interestingly it fails for me because my `su` isn't world-readable: $ stat /bin/su
File: /bin/su
Size: 59552 Blocks: 118 IO Block: 59904 regular file
Device: 0,52 Inode: 796854 Links: 1
Access: (4711/-rws--x--x) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2023-09-18 13:23:03.117105665 -0500
Modify: 2021-02-13 05:15:56.000000000 -0600
Change: 2023-09-18 13:23:03.119105665 -0500
Birth: 2023-09-18 13:23:03.117105665 -0500
I'm not sure I have any setuid/setgid binaries that are world-readable... |
|
| ▲ | rkeene2 2 hours ago | parent | next [-] |
| A workaround might be to make all setuid/setgid files non-world-readable because then they cannot be opened at all, and thus there is no setuid file to replace the contents of. |
| |
| ▲ | hashstring 30 minutes ago | parent [-] | | Eh, if you can pollute page caches this won’t safe you. Think modifying shared libraries, ld preload, cron, I guess on some systems /etc/passwd even. There are a lot of files readable that should definitely not be writable. | | |
| ▲ | rkeene2 12 minutes ago | parent [-] | | Fair enough -- a simpler change might be to poison /etc/passwd and call `su` to a user that has uid 0, since that requires no shell code nor a readable binary, and this seems to have worked in a slightly modified POC: f=g.open("/etc/passwd",0);
e="rkeene:x:0:0:System administrator:/root:/run/current-system/sw/bin/bash\n".encode()
...
g.system("/run/wrappers/bin/su - rkeene")
|
|
|
|
| ▲ | zerocrates an hour ago | parent | prev [-] |
| It being readable is the default configuration most places, after all the purpose is to call it from a non-privileged user. But I could see it being made non-readable since its use is discouraged nowadays... though then I'd expect sudo to be readable as an alternative. |
| |
| ▲ | rkeene2 31 minutes ago | parent [-] | | My `sudo` is also not readable. Files/directories don't need to be readable to be executed. I can still use `su` and `sudo`. |
|
