[rt-devel] possible security bug

Bruce Campbell bruce_campbell at ripe.net
Fri Jan 18 06:15:44 EST 2002

On Thu, 17 Jan 2002 dphull at ku.edu wrote:

> On Thu, 17 Jan 2002, Paul Lussier wrote:
> > [snip]
> > Despite the fact that the person who is installing rt2 *probably* has
> > root privileges, they may not, and may be invoking 'initdb' via
> > something like 'sudo', in which case it's trivial for them to then *get*
> > root access by placing something called 'stty' in the search path that
> > shows up before the really stty.
> I'm not sure this is a real security problem. According to the sudo
> manpage, the current directory "." is checked last to prevent command
> spoofing.

I believe this comes under 'check the Makefile and everything it possible
invokes before trying it with root privs'.  Standard paranoia.

On the search path, most implementations of sudo and its ilk force $PATH
to be a known set of values, *not* including '.'.  If an attacker has put
stty in one of the known $PATH, then all hope is already lost (ie, they
either have root, or theres some really sloppy admin going on).


More information about the Rt-devel mailing list