Comment by rkeene2

17 hours ago

Interestingly it fails for me because my `su` isn't world-readable:

  $ stat /bin/su
    File: /bin/su
    Size: 59552           Blocks: 118        IO Block: 59904  regular file
  Device: 0,52    Inode: 796854      Links: 1
  Access: (4711/-rws--x--x)  Uid: (    0/    root)   Gid: (    0/    root)
  Access: 2023-09-18 13:23:03.117105665 -0500
  Modify: 2021-02-13 05:15:56.000000000 -0600
  Change: 2023-09-18 13:23:03.119105665 -0500
   Birth: 2023-09-18 13:23:03.117105665 -0500

I'm not sure I have any setuid/setgid binaries that are world-readable...

6 comments

rkeene2

Reply
rkeene2  17 hours ago

A workaround might be to make all setuid/setgid files non-world-readable because then they cannot be opened at all, and thus there is no setuid file to replace the contents of.

  • hashstring  16 hours ago

    Eh, if you can pollute page caches this won’t safe you.

    Think modifying shared libraries, ld preload, cron, I guess on some systems /etc/passwd even.

    There are a lot of files readable that should definitely not be writable.

    • rkeene2  16 hours ago

      Fair enough -- a simpler change might be to poison /etc/passwd and call `su` to a user that has uid 0, since that requires no shell code nor a readable binary, and this seems to have worked in a slightly modified POC:

        f=g.open("/etc/passwd",0);
  e="rkeene:x:0:0:System administrator:/root:/run/current-system/sw/bin/bash\n".encode()
  ...
  g.system("/run/wrappers/bin/su - rkeene")

      1 reply →

zerocrates  16 hours ago

It being readable is the default configuration most places, after all the purpose is to call it from a non-privileged user. But I could see it being made non-readable since its use is discouraged nowadays... though then I'd expect sudo to be readable as an alternative.

  • rkeene2  16 hours ago

    My `sudo` is also not readable. Files/directories don't need to be readable to be executed. I can still use `su` and `sudo`.