Re: FreeBSD bug grants local root access (FreeBSD 6.x)

2009/9/16 Xin LI <delphij@delphij.net>:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Chris Palmer wrote:
>> utisoft@googlemail.com writes:
>>
>>> It appears to only affect 6.x.... and requires local access. If an
>>> attacker has local access to a machine you're screwed anyway.
>>
>> No, the thing you're screwed anyway by is local *physical* access. Merel=
y
>> running a process as a non-root local user should *not* be a "you're scr=
ewed
>> anyway" scenario. The fundamental security guarantee of a modern operati=
ng
>> system is that different principals cannot affect each other's resources
>> (user chris cannot read or write user jane's email -- let alone root's
>> email). This bug breaks that guarantee, and is definitely not a ho-hum b=
ug.
>
> Exactly. =A0This type of vulnerability could turn into a serious threat i=
f
> being used with some other vulnerabilities that allows code injection,
> which is worse.
>
> Cheers,
> - --
> Xin LI <delphij@delphij.net> =A0 =A0http://www.delphij.net/

Ahem, I must read posts correctly first. Beg pardon, I'll type that
100 times this evening.

Chris

--=20
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in a mailing list?
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"