Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <20151215211812.7F21A6C010C@smtpvmsrv1.mitre.org>
Date: Tue, 15 Dec 2015 16:18:12 -0500 (EST)
From: cve-assign@...re.org
To: oss-security@...ts.openwall.com
Cc: cve-assign@...re.org
Subject: Re: User man Local Root Exploit/Linux Kernel setgid Directory Privilege Escalation/PAM Owner Check Weakness

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> http://www.halfdog.net/Security/2015/MandbSymlinkLocalRootPrivilegeEscalation/
> PAM library should not operate on shadow writable by anyone else than root user.

In case there was interest in this report of a possibly unexpected PAM
behavior: the MITRE CVE team has no current plans to assign a CVE ID.
This seems to be essentially a design issue where multiple valid
opinions may exist. In other words, if /etc/shadow is in an incorrect
state, possibly the ideal outcome would be to halt the system until it
can be recovered using console access, possibly the ideal outcome is
to let the system continue running with otherwise normal software
behaviors in case an authorized user is relying on those behaviors to
fix the problem, or possibly it's something in between. Another
example would be a case where /etc/shadow is not critically
misconfigured (e.g., owned by the man account) but only slightly
misconfigured (e.g., the root group has read access). Some people may
prefer a design in which password-based authentication always fails
until the permissions are fixed; however, that's not necessarily the
prevailing opinion.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJWcIMhAAoJEL54rhJi8gl5oJsQAIZWMm3K94q59jP/HzruZbfn
WCo8GXY1lRnjWfcfSncS+SgSwI/gNDIQAq2Z+EzPrTd27zmXEQdL77affnWMWojX
HslCHsAo5jAtk9ytNnalCKQ6Y6dNuoWa61O43F6IOZlksyRMrdapA9B3XXXr4MkA
YHuEbSFK4tbgmUP/wM0RGZLV4a7LKWoDMKuLBTd56pWBQ7429QV2tVGPgx+xFg03
zaEiXE8w8s1qGXWQVICJaPhu5mCejDejzF34h0DhcxVJlzFpEaQIO1KZgtYUifDB
cbPjSfZvdZGSZl3fJC+QBf20g4hyyocqUwzJI0qXpT0L6rhBzZoeRbuO8W/levZG
oaZuVism8k3wvVC/NzmoG1nrPuNp4hp6hQIzdyPo+WwSyCFYSeZe0DPYh51kURZN
qAA+R6LjQKPUwiOLpgRy1h19Qc08tfUvrZeTmT8ZB9s9LTpKZRy5N9/jJDne5lLZ
KuNIu1Lz6LhdELIQdNEMJ/PbjQTUu1Y6us4geDJYaCmPyiqxl/bjXmj4jez2jScK
1FVWg9Pixdf811xY2FOouBOIeXHBWQlykEZcTFsy12ykolcHi81pXZTeatsoQZ8H
yVGxe1+reNFULx1Yf3IOd1UWqsPoTE+jwEDO3s5REox7pigK4SGbxntREevkTLnu
8QvfJp8ra+vE0NgtoUZs
=Z+Rm
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.