[mythtv-users] Running as root

Dave Sherohman esper at sherohman.org
Tue Oct 3 15:28:36 UTC 2006 

On Mon, Oct 02, 2006 at 02:53:13PM -0400, R. G. Newbury wrote:
> Dave Sherohman wrote:
> > chmod u+s mythfrontend
> > 
> > chmod 7777 would set not only suid, but also sgid and the sticky bit.
> > And you probably don't want to be making mythfrontend world-writable if
> > it's anywhere near a network, either, especially if it's suid root.
> > chmod 4755 or 4750 (if the mythtv user is a member of the group that
> > owns it) would be reasonably sane, though.  (4755 = rwsr-xr-x; 4750 =
> > rwsr-x---)
> 
> Thanks! As noted, more to play with.
> 
> My mythbox is not connected to any network, unless I lug it to the office.

So you hook up to the net, update your listings of upcoming programs
manually, then immediately disconnect?  Definitely a workable option,
but I get the impression that's not how most people operate.

> I remain, as usual, bemused by the level of paranoia exhibited in your 
> statement...Has anyone actually figured out how it could be possible to 
> subvert a mythbox, from having mythfrontend writeable and running suid root?

Most (all?) *nix systems these days are smart enough to remove the
suid/sgid flags if a program is modified, so mythfrontend being world
writable and suid root wouldn't be an automatic root exploit, but using
it to screw over anyone who runs mythfrontend is trivial:

$ echo "#\!/bin/bash
rm -rf ~
echo 'Ha-ha!'" > mythfrontend

Anyone who runs mythfrontend will now delete their home directory and
all its contents instead of watching TV.  If you know the location of
the machine's saved TV programs, it should be obvious how to wipe those
out as well.

If that's not a serious enough exploit for you, a slightly more devious
attacker could replace mythfrontend with a script which fires up a
keylogger, then overwrites itself to appear to be something less severe,
such as the above example.  If the user investigates and tries to fix it
with su, then the keylogger has just recorded the root password and the
system belongs to the attacker as soon as he retrieves the session log
(or the logger emails it to him).

There are plenty of other scenarios, but these are the two that come to
mind immediately.  suid or not, world-writable executables are just
asking for trouble because *anyone* can change them to do *anything*.

-- 
I would rather be exposed to the inconvenience attending too much Liberty
than those attending too small degree of it.
  - Thomas Jefferson

More information about the mythtv-users mailing list