[mythtv-users] Running as root

R. G. Newbury newbury at mandamus.org
Wed Oct 4 18:15:13 UTC 2006


Dave Sherohman wrote:
> 
>> I remain, as usual, bemused by the level of paranoia exhibited in your 
>> statement...Has anyone actually figured out how it could be possible to 
>> subvert a mythbox, from having mythfrontend writeable and running suid root?
> 
> Most (all?) *nix systems these days are smart enough to remove the
> suid/sgid flags if a program is modified, so mythfrontend being world
> writable and suid root wouldn't be an automatic root exploit, but using
> it to screw over anyone who runs mythfrontend is trivial:
> 
> $ echo "#\!/bin/bash
> rm -rf ~
> echo 'Ha-ha!'" > mythfrontend

But this 'exploit' has nothing actually to do with mythfrontend. Your 
hacker has a terminal access already. How could that be done, purely 
using the fact that mythfrontend is running as root as distinct to 
exploiting some other security hole? This just replaces the program 
mythfrontend with a killer trojan.

> Anyone who runs mythfrontend will now delete their home directory and
> all its contents instead of watching TV.  If you know the location of
> the machine's saved TV programs, it should be obvious how to wipe those
> out as well.

Your example, deleting the home folder, is something that any user can 
do. So being/having root has nothing to do with it. The hacker is 
already in and is just messing around. I want to focus on the explicit 
differences which arise because mythfrontend is being run by root as 
distinct to the generalized 'danger' of running as root... which always 
seems to be a variant of the difference of danger that root has more 
access than a suppoesedly limited access given to a user.

> If that's not a serious enough exploit for you, a slightly more devious
> attacker could replace mythfrontend with a script which fires up a
> keylogger, then overwrites itself to appear to be something less severe,
> such as the above example.  If the user investigates and tries to fix it
> with su, then the keylogger has just recorded the root password and the
> system belongs to the attacker as soon as he retrieves the session log
> (or the logger emails it to him).

But the hacker is ALREADY IN.

Any normal user has to have access to programs to be able to use 
them...Or are you suggesting that it is the singular fact that, under 
the described circumstances, mythfrontend is 'rwx' by the world as 
distinct to 'r-x'.
Under the 'normal' setup, mythfrontend belongs to the user mythtv...so 
he does not need to su to try to fix it. Again, the hacker is ALREADY 
IN. This example pre-supposes that the hacker gets in as user mythtv, 
and must use a key-logger to get root password. HOW DID HE GET IN USING 
MYTHFRONTEND ALONE? Once he is in, he could plant a trojan using any 
program that the mythtv user has write and execute privileges to.. But 
we knew that1

I have no problem with large scale segregated systems where 25 
secretaries each have their own workspace etc. amd their own passwords. 
  I used to work at such a site. But running a mythbox is NOT such an 
enterprise. My fundamental problem is that mythtv actually runs in 2 
user space levels, root for the backend and user for the frontend. And 
if the backend crashes, only root can restart it, *without a reboot*.
All I want to do, is have the user be able to fix that problem..

> There are plenty of other scenarios, but these are the two that come to
> mind immediately.  suid or not, world-writable executables are just
> asking for trouble because *anyone* can change them to do *anything*.

If he gets in...


              R. Geoffrey Newbury			

        Helping with the HTTP issue
<a href="http://www.w3.org/Protocols/">HTTP</a>


More information about the mythtv-users mailing list