Re: Debian package manager privilege escalation attack

To: debian-devel@lists.debian.org
Subject: Re: Debian package manager privilege escalation attack
From: Marc Haber <mh+debian-devel@zugschlus.de>
Date: Thu, 12 Aug 2021 17:56:26 +0200
Message-id: <[🔎] E1mED4D-002s2e-6n@drop.zugschlus.de>
In-reply-to: <[🔎] 0673f82bcacf96d8304c49a470b35722@debian.org>
References: <[🔎] CAO6YxPyH5DKH8TB8o=EsE0CesqrqP_Uh1+5DiJOeJjaaY9bPng@mail.gmail.com> <[🔎] 31b54d97-15b4-7cc3-d083-1fe3a664ee91@thykier.net> <[🔎] a91c91916c65e7504d7a035063e08f9f4effffce.camel@hashvault.io> <[🔎] YRS9YQ8UZGE303+j@belkar.wrar.name> <[🔎] 403fc957dc65d27a4908606dd9c6d2eaab48343a.camel@hashvault.io> <[🔎] 766280d0-4d1a-b43a-4d8a-0309e0b73f1b@polynamaude.com> <[🔎] 0673f82bcacf96d8304c49a470b35722@debian.org>

On Thu, 12 Aug 2021 13:44:24 +0200, Philipp Kern <pkern@debian.org>
wrote:
>On 2021-08-12 12:23, Polyna-Maude Racicot-Summerside wrote:
>> Now if people start doing stuff they don't master than it's not
>> privilege escalation but much more something like another manifestation
>> of human stupidity. And this, there won't be a number of article
>> sufficient to make people change.
>[...]
>> This is only a article made to get people onto a website and see
>> publicity or whatever goal the author set. There's nothing genuine in 
>> there.
>
>I think it's less about human stupidity than about all the knowledge you 
>need to acquire (and retain) to securely administer a system. It is not 
>easy. The concern expressed here is pretty much common knowledge among 
>sysadmins of ye olde times.

I think the essence of the article is, that on some apt/dpkg using
distributions, a "normal" user gets sudo rights to do apt only (I have
never seen that on Debian, do we do this in some corner case?) and is
able to escalate to root from that trivially, even without doctoring
some malicious package, just shell out from dpkg's conffile prompt to
a full root shell.

Greetings
Marc
-- 
-------------------------------------- !! No courtesy copies, please !! -----
Marc Haber         |   " Questions are the         | Mailadresse im Header
Mannheim, Germany  |     Beginning of Wisdom "     | 
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834

Reply to:

Follow-Ups:
- Re: Debian package manager privilege escalation attack
  - From: Philipp Kern <pkern@debian.org>

References:
- Debian package manager privilege escalation attack
  - From: Timothy M Butterworth <timothy.m.butterworth@gmail.com>
- Re: Debian package manager privilege escalation attack
  - From: Niels Thykier <niels@thykier.net>
- Re: Debian package manager privilege escalation attack
  - From: Brian Thompson <brian@hashvault.io>
- Re: Debian package manager privilege escalation attack
  - From: Andrey Rahmatullin <wrar@debian.org>
- Re: Debian package manager privilege escalation attack
  - From: Brian Thompson <brian@hashvault.io>
- Re: Debian package manager privilege escalation attack
  - From: Polyna-Maude Racicot-Summerside <debian@polynamaude.com>
- Re: Debian package manager privilege escalation attack
  - From: Philipp Kern <pkern@debian.org>

Prev by Date: Re: Steam Deck: good news for Linux gaming, bad news for Debian :(
Next by Date: Re: Debian package manager privilege escalation attack
Previous by thread: Re: Debian package manager privilege escalation attack
Next by thread: Re: Debian package manager privilege escalation attack
Index(es):
- Date
- Thread