www.nico.schottelius.org/software/cinit/browse_source/cinit-0.3pre12/doc/ancient/security

36 lines
1.3 KiB
Text
Raw Normal View History

--------------------------------------------------------------------------------
security,
Nico Schottelius 2005-06-13 (Last Modified: 2005-06-14)
--------------------------------------------------------------------------------
A little note about cinit security and how to exploit it:
cinit trusts its socket, /etc/cinit/tmp/coala. If somebody not
authorised has access to it, your system is taken over.
Through this socket anybody with write access can:
- shutdown, restart and power-off the host
- spawn a local unprotected shell
- execute anything as the user cinit runs (most likely root)
Currently cinit does not care very much about the socket permissions.
On my system this creates a socket with srwxr-x-rx permissions, which
isi suitable for normal operation, which will not accept connect()
by others than root.
But you can also loosen the security and allow people from a specfic group
to control your system:
ei # chmod 770 /etc/cinit/tmp/coala
ei # chown root:cinit /etc/cinit/tmp/coala
Now everybody in the cinit group can control your system.
Please think twice before doing that, as you read above, anyone from
the cinit group may start a root shell on the initial console then!
For extra parnoid settings you can do the following:
ei # chmod 700 /etc/cinit/tmp/coala
ei # chown root:root /etc/cinit/tmp/coala