Re: Bug#357561: privilege escalation hole

To: debian-security@lists.debian.org
Cc: Bjørn Mork <bmork@dod.no>
Subject: Re: Bug#357561: privilege escalation hole
From: Russell Coker <russell@coker.com.au>
Date: Fri, 13 Apr 2007 10:20:44 +1100
Message-id: <[🔎] 200704130920.49613.russell@coker.com.au>
Reply-to: russell@coker.com.au
In-reply-to: <87abywkkdv.fsf@obelix.mork.no>
References: <20070301033058.31705.29391.reportbug@localhost> <1172764178.4828.24.camel@localhost> <87abywkkdv.fsf@obelix.mork.no>

On Friday 02 March 2007 21:30, Bjørn Mork <bmork@dod.no> wrote:
> Nor did I.  Does anyone have a pointer to a discussion of this?  I
> assume it must have been discussed a few times already.

A few times in other places, not sure about this list.

> I think I'll stop using su now ;-)

"setsid su" will be fine, as will "exec su" in some situations (where the call 
chain results in the termination of su closing the terminal).

> BTW, I noticed that mysql-server-5.0 also has a problem similar to
> apache.  This is the ps output after a recent "apt-get upgrade":
>
> root      8458  0.0  0.0   3912   904 pts/3    S    Feb28   0:00 /bin/sh
> /usr/bin/mysqld_safe mysql     8495  0.0  0.3 126524  3780 pts/3    Sl  
> Feb28   0:00  \_ /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql
> --user=mysql --pid-file=/var/run/mysqld/mysqld.pid --ski root      8496 
> 0.0  0.0   2968   356 pts/3    S    Feb28   0:00  \_ logger -p daemon.err
> -t mysqld_safe -i -t mysqld

It's hard to tell.  The parent process didn't call setsid(), it would probably 
be best if mysqld_safe would call setsid() before executing the mysqld.  But 
if mysqld called setsid() then it would not be exploitable.

> Does the special treating of terminal exploits mean that this is not a
> bug?  Or should it be reported with a low severity?  As opposed to
> apache, normal users rarely have access to run their own code in mysql
> context anyway, so exploitng this may be difficult.

If a user cracks the mysqld then they may be able to take over the root 
account because of this.  I believe that it's something that we should get 
fixed.  Using setsid(8) to run mysqld would fix it.

The mysqld is started as root and then changes it's UID to mysql, this means 
that it can not be ptraced (in a default kernel configuration) which makes it 
slightly more difficult to exploit this apparent bug.

Also in a default Debian install there is no password for the "root" account 
in the MySQL users table (see the following for an example).  I've just filed 
a bug report against mysql-server.

$ echo "select Host,User,Password from user where Grant_priv='y'" | mysql -u 
root mysql
Host    User    Password
localhost       root
aeon    root
localhost       debian-sys-maint        *882F

-- 
russell@coker.com.au
http://etbe.blogspot.com/          My Blog

http://www.coker.com.au/sponsorship.html Sponsoring Free Software development

Reply to:

Prev by Date: Benjamin Fromme ist außer Haus.
Next by Date: Re: My anchovy
Previous by thread: Benjamin Fromme ist außer Haus.
Next by thread: Re: My anchovy
Index(es):
- Date
- Thread