[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Linux kernel source archive vulnerable

To: Lee Ball <lee@xxxxxxxxxxxxxxxxxx>
Subject: Re: [Full-disclosure] Linux kernel source archive vulnerable
From: hadmut@xxxxxxxxxx (Hadmut Danisch)
Date: Fri, 8 Sep 2006 12:53:15 +0200

On Fri, Sep 08, 2006 at 11:44:02AM +0100, Lee Ball wrote:
> 
> Sorry to add my 2 pence worth but I noticed that Raj ran his command as
> a normal user and you Hadmut have ran yours as root. Isn't it going to
> be ok as the directories above these world writeable files aren't
> writeable/readable by a non-superuser?

Actually it wasn't my own computer where I found the problem. I was
performing some security checks on a customer machine and found these
open directories, so it was someone else's machine.

No, this is not correct. Even if /usr/src is not world writable, you
can write into those subdirectories and files. 

Just think about it: Otherwise you could not write any file into your
home directory since /home is not world writable.

regards
Hadmut

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] Linux kernel source archive vulnerable
  - From: Hadmut Danisch
- Re: [Full-disclosure] Linux kernel source archive vulnerable
  - From: Raj Mathur
- Re: [Full-disclosure] Linux kernel source archive vulnerable
  - From: Hadmut Danisch
- Re: [Full-disclosure] Linux kernel source archive vulnerable
  - From: Lee Ball

Prev by Date: [Full-disclosure] Re: Linux kernel source archive vulnerable
Next by Date: RE: [Full-disclosure] Active Directory accounts
Previous by thread: Re: [Full-disclosure] Linux kernel source archive vulnerable
Next by thread: [Full-disclosure] Re: Linux kernel source archive vulnerable
Index(es):
- Date
- Thread