30 lines
1.1 KiB
Text
30 lines
1.1 KiB
Text
|
--------------------------------------------------------------------------------
|
||
|
security,
|
||
|
Nico Schottelius 2005-06-13 (Last Modified: 2005-06-14)
|
||
|
--------------------------------------------------------------------------------
|
||
|
|
||
|
A little note about cinit security and how to exploit it:
|
||
|
|
||
|
cinit trusts its socket, /etc/cinit/tmp/coala. If somebody not
|
||
|
authorised has access to it, your system is taken over.
|
||
|
|
||
|
Through this socket anybody with write access can:
|
||
|
|
||
|
- shutdown, restart and power-off the host
|
||
|
- spawn a local unprotected shell
|
||
|
- execute anything as the user cinit runs (most likely root)
|
||
|
|
||
|
Currently cinit does not care very much about the socket permissions.
|
||
|
On my system this creates a socket with srwxr-x-rx permissions, which
|
||
|
isi suitable for normal operation.
|
||
|
|
||
|
But you can also loosen the security and allow people from a specfic group
|
||
|
to control your system:
|
||
|
|
||
|
ei # chmod 770 /etc/cinit/tmp/coala
|
||
|
ei # chown root:cinit /etc/cinit/tmp/coala
|
||
|
|
||
|
Now everybody in the cinit group can control your system.
|
||
|
Please think twice before doing that, as you read above, anyone from
|
||
|
the cinit group may start a root shell on the initial console.
|