[Pkg-shadow-devel] Bug#611584: Bug#611584: /bin/su: not quite aggressive enough about cleaning the environment
Mike Frysinger
vapier at gentoo.org
Tue Feb 1 18:32:48 UTC 2011
On Tuesday, February 01, 2011 13:16:22 Zack Weinberg wrote:
> On Mon, Jan 31, 2011 at 10:16 PM, Mike Frysinger <vapier at gentoo.org> wrote:
> > suing to root and claiming security issues makes no sense. think
> > about it for all of three seconds.
>
> I have. If you do "su -" instead of "su" you expect that to isolate
> you from (for instance) hostile clients on the same X session. I
> realize there are ways a determined attacker can get past anything su
> can do (by attacking the unprivileged terminal you're typing at, for
> instance), but that's not an excuse for su not even *trying*.
do you even know how these mechanisms work ? XAUTHORITY is a path to a file.
it does not contain the magic cookie itself. reading that file only works if
the person has permission to access it. if your system grants people
permission, then your system is already screwed up and simply deleting the env
value changes nothing in the security aspect. these supposed malicious users
you're worried about will be able to screw you over all they want.
same goes for DISPLAY. knowing the value is irrelevant, especially
considering the vast majority of time it is the same value. security controls
are in place above that to prevent people from talking to any DISPLAY.
thus `su`-ing to another non-root user is not a security issue by preserving
these variables. and `su`-ing to root is never a security issue for obvious
reasons.
> > as for the env vars you quoted, try reading the man page yet again:
> > If --login is used, the $TERM, $COLORTERM, $DISPLAY, and
> > $XAUTHORITY environment variables are copied if they were set.
>
> That it is documented does not make it not a bug.
that you disagree with the design does not make it a bug.
-mike
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.alioth.debian.org/pipermail/pkg-shadow-devel/attachments/20110201/9cd87fa1/attachment.pgp>
More information about the Pkg-shadow-devel
mailing list