On Mon, Mar 31, 2014 at 7:08 PM, Cristian Rodríguez <crrodriguez@opensuse.org> wrote:
(you've got many daemons that can write there and thus, if you manage to compromise them, compromise the whole system in turn).
Nowdays, those daemons run (or should run) with a private /tmp namespace, separated from the host. then this issue is effectively dealt with.
I meant "write in /var/spool".
From /var/spool you can pivot and compromise other daemons, eventually reaching one with which you can escalate to root.
I haven't tried, it's quite labour-intensive, but it is conceivable. On Mon, Mar 31, 2014 at 7:06 PM, Linda Walsh <suse@tlinx.org> wrote:
Claudio Freire wrote:
On Mon, Mar 31, 2014 at 6:35 PM, Linda Walsh <suse@tlinx.org> wrote:
No, it wasn't.
The first and main issue was:( from https://lwn.net/Articles/482544/)
On systems that have user-writable directories on the same partition as system files, a long-standing class of security issues is the hardlink-based time-of-check-time-of-use race, most commonly seen in world-writable directories like /tmp.
Yes, the problem here is that all systems (except those partitioned excessively and paranoically as in one partition per user) have user-writeable system partitions.
---- You don't need separate / user you need users separate from system. you may also need to disallow creating world-writeable files in world-writeable directories like tmp.
/tmp is a good example that didn't change;
--- There have been multiple proposals for users to use ~/.tmp as on windows or to use fs-namespace separation to achieve the same. However, a file owned by root in /tmp wouldn't be linkable except to another file in /tmp owned by root...what does that buy you?
Without separating each user in their own namespace, you can induce remote execution by tampering with other applications' temporary files. You can never assume compromising an unprivileged user to be less sensitive than compromising root - that user might have sudo powers or otherwise be important. Here[0][1] you have an old case involving /var/spool (mailbox delivery). Googling, I found this one[2] involving /tmp. Clearly, this is not something new. [0] http://www.postfix.org/announcements/20080814.html [1] http://lwn.net/Articles/391474/} [2] http://50.97.85.250-static.reverse.softlayer.com/show/osvdb/96901 -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org