FreeBSD bug grants local root access (FreeBSD 6.x)
Xin LI
delphij at delphij.net
Wed Sep 16 00:06:03 UTC 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Chris Palmer wrote:
> utisoft at googlemail.com writes:
>
>> It appears to only affect 6.x.... and requires local access. If an
>> attacker has local access to a machine you're screwed anyway.
>
> No, the thing you're screwed anyway by is local *physical* access. Merely
> running a process as a non-root local user should *not* be a "you're screwed
> anyway" scenario. The fundamental security guarantee of a modern operating
> system is that different principals cannot affect each other's resources
> (user chris cannot read or write user jane's email -- let alone root's
> email). This bug breaks that guarantee, and is definitely not a ho-hum bug.
Exactly. This type of vulnerability could turn into a serious threat if
being used with some other vulnerabilities that allows code injection,
which is worse.
Cheers,
- --
Xin LI <delphij at delphij.net> http://www.delphij.net/
FreeBSD - The Power to Serve!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (FreeBSD)
iEYEARECAAYFAkqwK+AACgkQi+vbBBjt66Cu2gCfQWDWssPUTP+YESUOS7pJXCal
TY0An332WH2WDUiF1vhlgOW+QUk9U0rk
=S2nD
-----END PGP SIGNATURE-----
More information about the freebsd-security
mailing list