[mythtv-users] Running as root
R. G. Newbury
newbury at mandamus.org
Wed Oct 4 18:15:13 UTC 2006
Dave Sherohman wrote:
>
>> I remain, as usual, bemused by the level of paranoia exhibited in your
>> statement...Has anyone actually figured out how it could be possible to
>> subvert a mythbox, from having mythfrontend writeable and running suid root?
>
> Most (all?) *nix systems these days are smart enough to remove the
> suid/sgid flags if a program is modified, so mythfrontend being world
> writable and suid root wouldn't be an automatic root exploit, but using
> it to screw over anyone who runs mythfrontend is trivial:
>
> $ echo "#\!/bin/bash
> rm -rf ~
> echo 'Ha-ha!'" > mythfrontend
But this 'exploit' has nothing actually to do with mythfrontend. Your
hacker has a terminal access already. How could that be done, purely
using the fact that mythfrontend is running as root as distinct to
exploiting some other security hole? This just replaces the program
mythfrontend with a killer trojan.
> Anyone who runs mythfrontend will now delete their home directory and
> all its contents instead of watching TV. If you know the location of
> the machine's saved TV programs, it should be obvious how to wipe those
> out as well.
Your example, deleting the home folder, is something that any user can
do. So being/having root has nothing to do with it. The hacker is
already in and is just messing around. I want to focus on the explicit
differences which arise because mythfrontend is being run by root as
distinct to the generalized 'danger' of running as root... which always
seems to be a variant of the difference of danger that root has more
access than a suppoesedly limited access given to a user.
> If that's not a serious enough exploit for you, a slightly more devious
> attacker could replace mythfrontend with a script which fires up a
> keylogger, then overwrites itself to appear to be something less severe,
> such as the above example. If the user investigates and tries to fix it
> with su, then the keylogger has just recorded the root password and the
> system belongs to the attacker as soon as he retrieves the session log
> (or the logger emails it to him).
But the hacker is ALREADY IN.
Any normal user has to have access to programs to be able to use
them...Or are you suggesting that it is the singular fact that, under
the described circumstances, mythfrontend is 'rwx' by the world as
distinct to 'r-x'.
Under the 'normal' setup, mythfrontend belongs to the user mythtv...so
he does not need to su to try to fix it. Again, the hacker is ALREADY
IN. This example pre-supposes that the hacker gets in as user mythtv,
and must use a key-logger to get root password. HOW DID HE GET IN USING
MYTHFRONTEND ALONE? Once he is in, he could plant a trojan using any
program that the mythtv user has write and execute privileges to.. But
we knew that1
I have no problem with large scale segregated systems where 25
secretaries each have their own workspace etc. amd their own passwords.
I used to work at such a site. But running a mythbox is NOT such an
enterprise. My fundamental problem is that mythtv actually runs in 2
user space levels, root for the backend and user for the frontend. And
if the backend crashes, only root can restart it, *without a reboot*.
All I want to do, is have the user be able to fix that problem..
> There are plenty of other scenarios, but these are the two that come to
> mind immediately. suid or not, world-writable executables are just
> asking for trouble because *anyone* can change them to do *anything*.
If he gets in...
R. Geoffrey Newbury
Helping with the HTTP issue
<a href="http://www.w3.org/Protocols/">HTTP</a>
More information about the mythtv-users
mailing list