Re: Slackware 8.0, 7.1 Vulnerability: /usr/bin/locate

[Linux Mailing Lists <linux () aiind upv es>]

Hello,

>       In slackware, and possibly other distributions, it is possible to
> modify the locate database if one were to obtain UID nobody.  This allows
> locate to act as a sort of 'trojan' having anyone who executes it
> unknowingly execute potentially malicious code.

Obtaining access to user nobody under Slackware (at least 8.0) seems to be
relatively easy, since the apache web daemon runs, by default, under the
"nobody" UID. If the administrator lets users run cgis or use any other
kind of "interaction" with httpd (includes, exec's, etc...), it might be
very easy to run code as user nobody.

I've checked Slackware 8.0 and httpd is set up to run as user "nobody".

> From /etc/apache/httpd.conf:

#
# If you wish httpd to run as a different user or group, you must run
# httpd as root initially and it will switch.
#
# User/Group: The name (or #number) of the user/group to run httpd as.
#  . On SCO (ODT 3) use "User nouser" and "Group nogroup".
#  . On HPUX you may not be able to use shared memory as nobody, and the
#    suggested workaround is to create a user www and use that user.
#  NOTE that some kernels refuse to setgid(Group) or semctl(IPC_SET)
#  when the value of (unsigned)Group is above 60000;
#  don't use Group nobody on these systems!
#
User nobody
Group nobody

Suggested work-around: run httpd under another, "private" user ("www" for
example) and group, and be sure to disable any kind of interaction between
users and the web server (cgis, includes, execs...).

Please note that having access to user "nobody" is not that bad unless
it's combined with other vulnerabilities (locate, for example, or any
other system-wide utility/program which is run as user "nobody").

Greetings,

                                                        Sergio