Bug#845385: Privilege escalation via removal
Markus Koschany
apo at debian.org
Tue Nov 29 22:45:52 UTC 2016
On Wed, 23 Nov 2016 09:35:34 +1100 Paul Szabo <paul.szabo at sydney.edu.au>
wrote:
> Package: tomcat8
> Version: 8.0.14-1+deb8u4
> Severity: critical
> Tags: security
>
> Having installed tomcat8, the directory /etc/tomcat8/Catalina is set
> writable by group tomcat8, as per the postinst script. Then the tomcat8
> user, in the situation envisaged in DSA-3670 and DSA-3720, see also
> http://seclists.org/fulldisclosure/2016/Oct/4
> could use something like commands
> touch /etc/tomcat8/Catalina/attack
> chmod 2747 /etc/tomcat8/Catalina/attack
> to create a file:
> # ls -l /etc/tomcat8/Catalina/attack
> -rwxr-Srwx 1 tomcat8 tomcat8 0 Nov 23 09:00 /etc/tomcat8/Catalina/attack
> Then if the tomcat8 package is removed (purged?), the postrm script runs
> chown -Rhf root:root /etc/tomcat8/
> and that will leave the file world-writable, setgid root:
> # ls -l /etc/tomcat8/Catalina/attack
> -rwxr-Srwx 1 root root 0 Nov 23 09:00 /etc/tomcat8/Catalina/attack
> allowing "group root" access to the world.
I don't understand why this is a security issue when
/etc/tomcat8/Catalina/attack is owned by root:root after the purge and
the tomcat8 user doesn't even exist anymore.
Markus
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-java-maintainers/attachments/20161129/c60c77d5/attachment.sig>
More information about the pkg-java-maintainers
mailing list