Date: Wed, 16 Sep 2009 16:37:24 +0100 From: Chris Rees <utisoft@googlemail.com> To: d@delphij.net Cc: Chris Palmer <chris@noncombatant.org>, freebsd-security@freebsd.org Subject: Re: FreeBSD bug grants local root access (FreeBSD 6.x) Message-ID: <b79ecaef0909160837t5526aea3i25698f68cb33ae99@mail.gmail.com> In-Reply-To: <4AB02BE0.1030305@delphij.net> References: <4AAF45B4.60307@isafeelin.org> <0016e6d99efa540b8b047399738b@google.com> <20090915202703.GF24361@noncombatant.org> <4AB02BE0.1030305@delphij.net>
next in thread | previous in thread | raw e-mail | index | archive | help
2009/9/16 Xin LI <delphij@delphij.net>: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Chris Palmer wrote: >> utisoft@googlemail.com writes: >> >>> It appears to only affect 6.x.... and requires local access. If an >>> attacker has local access to a machine you're screwed anyway. >> >> No, the thing you're screwed anyway by is local *physical* access. Merel= y >> running a process as a non-root local user should *not* be a "you're scr= ewed >> anyway" scenario. The fundamental security guarantee of a modern operati= ng >> system is that different principals cannot affect each other's resources >> (user chris cannot read or write user jane's email -- let alone root's >> email). This bug breaks that guarantee, and is definitely not a ho-hum b= ug. > > Exactly. =A0This type of vulnerability could turn into a serious threat i= f > being used with some other vulnerabilities that allows code injection, > which is worse. > > Cheers, > - -- > Xin LI <delphij@delphij.net> =A0 =A0http://www.delphij.net/ Ahem, I must read posts correctly first. Beg pardon, I'll type that 100 times this evening. Chris --=20 A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in a mailing list?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?b79ecaef0909160837t5526aea3i25698f68cb33ae99>