35 lines
1.3 KiB
Text
35 lines
1.3 KiB
Text
--------------------------------------------------------------------------------
|
|
security,
|
|
Nico Schottelius 2005-06-13 (Last Modified: 2005-06-14)
|
|
--------------------------------------------------------------------------------
|
|
|
|
A little note about cinit security and how to exploit it:
|
|
|
|
cinit trusts its socket, /etc/cinit/tmp/coala. If somebody not
|
|
authorised has access to it, your system is taken over.
|
|
|
|
Through this socket anybody with write access can:
|
|
|
|
- shutdown, restart and power-off the host
|
|
- spawn a local unprotected shell
|
|
- execute anything as the user cinit runs (most likely root)
|
|
|
|
Currently cinit does not care very much about the socket permissions.
|
|
On my system this creates a socket with srwxr-x-rx permissions, which
|
|
isi suitable for normal operation, which will not accept connect()
|
|
by others than root.
|
|
|
|
But you can also loosen the security and allow people from a specfic group
|
|
to control your system:
|
|
|
|
ei # chmod 770 /etc/cinit/tmp/coala
|
|
ei # chown root:cinit /etc/cinit/tmp/coala
|
|
|
|
Now everybody in the cinit group can control your system.
|
|
Please think twice before doing that, as you read above, anyone from
|
|
the cinit group may start a root shell on the initial console then!
|
|
|
|
For extra parnoid settings you can do the following:
|
|
|
|
ei # chmod 700 /etc/cinit/tmp/coala
|
|
ei # chown root:root /etc/cinit/tmp/coala
|