LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for July 2, 2009

RealtimeKit and the audio problem

VFAT patent avoidance and patent workarounds

LWN.net Weekly Edition for June 25, 2009

Apache attacked by a "slow loris"

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

brk() bug was the real problem

brk() bug was the real problem

Posted Dec 13, 2003 19:05 UTC (Sat) by giraffedata (subscriber, #1954)
In reply to: Too weak by RobSeace
Parent article: Lessons from the Debian compromise

I take the opposite view. An unauthorized user being able to log into a system as a nonprivileged user is a small deal. Being able to escalate to a privileged user is a big deal.

That's because there are all kinds of legitimate reasons for having a system that untrusted people can log into as an unprivileged user. We should not therefore squander our attention on stopping people from logging in, but rather allocate it to stopping privilege escalations.

(Log in to post comments)

How do you figure??

Posted Dec 13, 2003 19:49 UTC (Sat) by RobSeace (subscriber, #4435) [Link]

How on Earth can you say that someone gaining access to a legit developer's
user account is "a small deal"???? And, at the same time, that going from
there to root is a "a big deal"???? I can't comprehend your perspective...

By having access to the developer's user account, the attacker can pretend
to be the developer, including doing such things as checking in code under
his/her name, communicating with others to obtain info intented only for the
developer, and basically anything and everything that legit developer could
do... Is this really "a small deal" to you???? Do you realize the damage
that could be done this way?? Think about it... Chances are, no one would
ever have found out about such a user-only attack: no system files would
have changed, no kernel oopses as warnings, nothing to tip anyone off that
anything was up... So, this person could have undected access for as long
as they wanted, and do anything they wanted in the real developer's name,
without arousing anyone's suspicions... They could get a hidden backdoor of
some sort worked into some major bit of software which they know will be
run by everyone that uses the distro, and as soon as it gets distributed
widely, they'd have access to thousands of machines around the world, with
no one being the wiser (until they eventually slip up and get caught)...
You don't think this represents a scary scenario?? Yet, you find the mere
escalation from an authorized remote user account to root the end of the
world???? I'm totally baffled by that...

Gaining root, when you already have the above power, is just unecessary
overkill, really... If the person who pulled this off were smart, they
would've done as I describe above, and stayed hidden, and been able to do
lots of nasty things for a LONG time, before anyone ever caught them...
By being greedy and going after root, they got caught quickly... And, what
did it gain them?? Not much... Seriously, tell me: what are you so afraid
they could've done as root, that they couldn't have accomplished far more
stealthfully as the developer?? It seems to me the big danger is planting
some kind of back-door/trojan into the source, right? Why do that with
noisy root access, when you can do it with stealthy developer access, and
arouse no one's suspicions?? Sure, as root they can sniff everyone's
passwords and monitor everyone's communications, etc... But, so what?
What is the ultimate danger from doing that: that they'll be able to find a
way to poison the source code, right? Or, are you worried about some OTHER
danger that I'm not seeing??

Copyright © 2009, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds