[Popcon-developers] Bug#429405: Wrong usage of su in /etc/cron.weekly/popularity-contest (New bug)

Bill Allombert Bill.Allombert at math.u-bordeaux1.fr
Tue Jun 19 12:30:18 UTC 2007


On Mon, Jun 18, 2007 at 07:53:17PM +0200, Klaus Ethgen wrote:
> Hello Bill,
> 
> Am Mo den 18. Jun 2007 um 17:53 schrieb Bill Allombert:
> > It is not the case on Debian by default:
> > nobody:*:65534:65534:nobody:/nonexistent:/bin/sh
> 
> That's true but it is not as save as I wanna have it on my systems. (All
> system users on my system have /bin/sh if no special reason give other.)
> 
> > Furthermore the point of user nobody is to be able to run process
> > that have no file access permission outside 'other' (since no files are
> > owned by user or group nobody). If you preclude it from running
> > programs, then this user is useless. If nobody does not have a default
> > shell, every usage of 'su nobody' must hard-code a shell instead of
> > following /etc/passwd. This is generally a bad thing. Only root can 'su
> > nobody' anyway. 
> 
> That is incorrect. If you have to call something as nobody you know the
> shell where it has to run under. Also I never ever want a normal user to
> su to nobody at all! Moreover nobody has ever to run a interactive shell
> as user nobody! So there is no need for a shell for this user. It is
> only a security problem IF the user nobody has a shell and a server like
> i.e. the webserver has a security flaw when running code as user nobody
> the attacker has a shell for free (Sure with no home but there is other
> places where also nobody can write to)! So never give nobody a shell.

What is you attack model ?  So the server has a security flaw and run as
user nobody. If the attacker can run arbitrary code as user nobody, why
cannot they just exec /bin/sh ? Where does that make a difference ?

If this is indeed a security flaw, we should fix Debian not just popcon.

Cheers,
Bill.




More information about the Popcon-developers mailing list