Hi Alex,
On Do 20 Jan 2011 17:26:28 CET "John A. Sullivan III" wrote:
Am 20.01.2011 15:39, schrieb Alexander Wuerstlein:
Forget that, /usr/bin/x2gopgwrapper is of course trivially exploitable to get root in 2 ways:
- in the current git version, set 'startshadowagent' as the first parameter. Choose the 11th parameter in a way such that SHADOW_USER is set to 'root'. Set the second parameter ($CLIENT) to something like 'foo ; rm -fr /'. Profit.
- in the git as well as the stable version, when the database is sqlite: the x2gopgwrapper_sqlite runs as root meaning that any sql injection into sqlite would run as root. One possible injection would set the sqlite output file to /etc/shadow (via .output /etc/shadow) and overwrite it with a customized version including a new root password chosen by the attacker. Profit.
I see, thank you Alexander. We'll fix it as quick as possible. Regards, <snip> It has probably been roughly a year but I had posted some changes we made because we were very uncomfortable calling PostgreSQL as postgres. In fact, we combined it with our vserver work and eventually used user
On Thu, 2011-01-20 at 16:17 +0100, Oleksandr Shneyder wrote: based schemas so we could use a single database for any number of X2Go Servers - John
John sent these patches (with docs!!!) to the list on 20100702. I had
taken a look at them then and they looked quite promising. They are
definitely worth looking at to address this issue.
Cheerio, Mike
--
DAS-NETZWERKTEAM mike gabriel, dorfstr. 27, 24245 barmissen fon: +49 (4302) 281418, fax: +49 (4302) 281419
GnuPG Key ID 0xB588399B mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xf...