On Sun, 13 Aug 2006 03:41:35 -0500
Corey Wright <undefined@pobox.com> wrote:
> this email is to serve as a notification of a problem and a survey of
> possible workarounds/solutions.
>
> the problem: when using dpkg to upgrade a package that contains setuid/gid
> files which have been unified/hashified, dpkg wants to first chmod 600 the
> files before unlinking them (in case somebody has hardlinked to a security
> susceptible file which will remain even after the upgrade because of the
> hardlink). of course, as the files are immutable, the chmod fails, but
> this behavior is never seen for all other files because dpkg unlinks them
> without chmoding them first (and unlinking is allowed).
my final solution is attached, which is a patch to dpkg disabling the
behavior of chmodding a setuid/gid file 600 before removing it. this still
doesn't address the security problem of a non-root user hardlinking a
locally-exploitable setuid file before upgrade and it still being available
to exploit after upgrade. the solution to that is limiting users to
writing on a partition (/home) separate from setuid files (/ & /usr) (which
is already a "best practice", but hard to justify on small-sized vserver
guests).
so anyways, this is the patch that i applied to dpkg that i installed only
on my hashified/unified vserver guests, not the vserver host.
corey
-- undefined@pobox.com
_______________________________________________
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver