hi Steve,
On Sat, Aug 12, 2006 at 02:51:40PM +0100, Steve Kemp wrote:
> On Sat, Aug 12, 2006 at 03:45:33PM +0200, Michael Ablassmeier wrote:
>
> > has one of you yet had a look at terminatorx? Terminatorx is an real time
> > synthesizer software which supports installation of its binary SUID root in
> > order to be able to use realtime scheduling. Might be worth a look.
>
> Since it isn't installed setuid by default I've never looked at it
> before.
>
> First analysis - *don't* install setuid if you have untrusted local
> users since loading files from the GUI easily allows a local root attack.
>
> Loading files triggers code in src/tX_audiofile.cc:
>
> --
> tX_audio_error tx_audiofile :: load_ogg123() {
> tX_debug("tx_audiofile::load_ogg123()");
>
> char command[PATH_MAX*2];
>
> sprintf(command, OGG123_STR, filename);
> file = popen(command, "r");
>
> if (!file) return TX_AUDIO_ERR_OGG123;
>
> return load_piped();
> }
> --
yes, i've had this impression too and was playing around with trying to execute
some binaries overriding PATH in my ~/bin/, those are, as it seems, not run
with root privileges as the application drops those at startup:
main.cc:
--
if ((!geteuid()) && (getuid() != geteuid())) {
tX_msg("runnig suid-root - dropping root privileges.");
int result=setuid(getuid());
if (result) {
tX_error("main() Panic: can't drop root privileges.");
exit(2);
}
}
/* No suidroot below this comment. */
--
linking ~/bin/sox to /sbin/init ended up in terminatorX executing it as regular
user over here.
bye,
- michael
|
