Re: Bug#357561: privilege escalation hole
On Friday 02 March 2007 21:30, Bjørn Mork <bmork@dod.no> wrote:
> Nor did I. Does anyone have a pointer to a discussion of this? I
> assume it must have been discussed a few times already.
A few times in other places, not sure about this list.
> I think I'll stop using su now ;-)
"setsid su" will be fine, as will "exec su" in some situations (where the call
chain results in the termination of su closing the terminal).
> BTW, I noticed that mysql-server-5.0 also has a problem similar to
> apache. This is the ps output after a recent "apt-get upgrade":
>
> root 8458 0.0 0.0 3912 904 pts/3 S Feb28 0:00 /bin/sh
> /usr/bin/mysqld_safe mysql 8495 0.0 0.3 126524 3780 pts/3 Sl
> Feb28 0:00 \_ /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql
> --user=mysql --pid-file=/var/run/mysqld/mysqld.pid --ski root 8496
> 0.0 0.0 2968 356 pts/3 S Feb28 0:00 \_ logger -p daemon.err
> -t mysqld_safe -i -t mysqld
It's hard to tell. The parent process didn't call setsid(), it would probably
be best if mysqld_safe would call setsid() before executing the mysqld. But
if mysqld called setsid() then it would not be exploitable.
> Does the special treating of terminal exploits mean that this is not a
> bug? Or should it be reported with a low severity? As opposed to
> apache, normal users rarely have access to run their own code in mysql
> context anyway, so exploitng this may be difficult.
If a user cracks the mysqld then they may be able to take over the root
account because of this. I believe that it's something that we should get
fixed. Using setsid(8) to run mysqld would fix it.
The mysqld is started as root and then changes it's UID to mysql, this means
that it can not be ptraced (in a default kernel configuration) which makes it
slightly more difficult to exploit this apparent bug.
Also in a default Debian install there is no password for the "root" account
in the MySQL users table (see the following for an example). I've just filed
a bug report against mysql-server.
$ echo "select Host,User,Password from user where Grant_priv='y'" | mysql -u
root mysql
Host User Password
localhost root
aeon root
localhost debian-sys-maint *882F
--
russell@coker.com.au
http://etbe.blogspot.com/ My Blog
http://www.coker.com.au/sponsorship.html Sponsoring Free Software development
Reply to: