maemo.org - Talk
Page 14 of 22 « First 41213 14 1516 Last »
Show 40 post(s) from this thread on one page

maemo.org - Talk (https://talk.maemo.org/index.php)
-   MeeGo / Harmattan (https://talk.maemo.org/forumdisplay.php?f=45)
-   -   Announcing INCEPTION: Deeper access to your N9 [0.1.1] (https://talk.maemo.org/showthread.php?t=82835)

rainisto 2012-03-25 20:18
Re: Announcing INCEPTION: Deeper access to your N9
 
Quote:
Originally Posted by wicket (Post 1184008)
The second thing I discovered was that it is actually possible to run an incepted opensh shell as a regular user and gain full root privileges without needing to supply a root password!

This is obviously a huge security hole. I'd also like know if this problem occurs when running opensh under an open-mode kernel.

I suggest that anyone using an incepted opensh locks down both /bin/opensh and /bin/open-sh executables with 700 permissions until this is sorted.
Obviously inception as such is a huge security hole. It has been always known that if you want to bypass password query you install opensh, and if you want to have the password query, then you incept develsh. As only difference between develsh and opensh is the default current user vs. setuid(0).

rainisto 2012-03-25 20:30
Re: Announcing INCEPTION: Deeper access to your N9
 
Quote:
Originally Posted by wicket (Post 1184007)
I've noticed a couple of oddities when running an incepted opensh.

First of all, I am unable to run a simple shell script under opensh:
There is nothing odd in your paste, it behaves just like aegis should. If you find that odd, then most likely you shouldn't have installed inception or incepted opensh, or atleast you should 1st study how aegis is supposed to work. http://harmattan-dev.nokia.com/docs/...ity_guide.html

itsnotabigtruck 2012-03-25 21:58
Re: Announcing INCEPTION: Deeper access to your N9
 
Quote:
Originally Posted by wicket (Post 1184008)
The second thing I discovered was that it is actually possible to run an incepted opensh shell as a regular user and gain full root privileges without needing to supply a root password!

<snip>
This is why installing opensh is optional - it makes things wide open, often more so than you want. I've been meaning to build a replacement that has a password prompt, à la sudo. (If someone else is interested in implementing one, that would be greatly appreciated; what INCEPTION needs is apps, apps, and more apps!)

Note that as long as Aegis is exploitable, an evil unprivileged app could still obtain full access even without opensh - it would just be more difficult. opensh is essentially poking a hole through a dam that's already leaky.

@rainisto develsh doesn't have a password prompt either, though - so if incepting it does grant it full privileges, doing so is exactly as much of an issue as installing opensh, I'd imagine.

wicket 2012-03-25 23:59
Re: Announcing INCEPTION: Deeper access to your N9
 
Well I knew that the purpose of opensh was to provide real root, what I didn't realise was that setuid(0), setgid(0) was used to achieve this. I'll admit I was naive to install it without knowing this but what surprised me was how nothing has been done to lock it down. To quote the author (http://maemo.cloud-7.de/HARM/N9/openmode_kernel_PR1.1/):

Quote:
Q: But isn't it a big security risk?
---------------------------------
A: Not at all, as user needs to boot into open mode kernel, something that no malware
could do. Of course once you switched "to the dark side" and got opensh installed
on your system, it is basically as safe or vulnerable to malware attacks as any other
linux system, maybe marginally better still thanks aegis.
No way is the default install of opensh as safe as any Linux system. Perhaps most people here find it acceptable to be able to gain root access without some form of password or key. Fremantle's rootsh was just as vulnerable.

itsnotabigtruck 2012-03-26 03:54
Re: Announcing INCEPTION: Deeper access to your N9
 
Quote:
Originally Posted by wicket (Post 1184067)
Well I knew that the purpose of opensh was to provide real root, what I didn't realise was that setuid(0), setgid(0) was used to achieve this. I'll admit I was naive to install it without knowing this but what surprised me was how nothing has been done to lock it down. To quote the author (http://maemo.cloud-7.de/HARM/N9/openmode_kernel_PR1.1/):



No way is the default install of opensh as safe as any Linux system. Perhaps most people here find it acceptable to be able to gain root access without some form of password or key. Fremantle's rootsh was just as vulnerable.
If opensh asserted all Aegis credentials, but didn't switch to the root user, one could still trivially become root using either the tcb or CAP::setuid credentials, both of which would be available. Merely having opensh run as the current user wouldn't do anything at all to improve security.

Under other circumstances I'd be a bit more fervent about locking down access to credentials/root, but with Harmattan as it is I'm afraid it's a bit of a lost cause. That said, the Aegis-aware sudo I proposed earlier is definitely something that's required.

Edit: Also, you can get rid of opensh without getting rid of INCEPTION - just do apt-get remove opensh from a root shell and you're set.

rainisto 2012-03-26 04:59
Re: Announcing INCEPTION: Deeper access to your N9
 
And ofcourse the real security hole is that one can make application to ovi store, and which would check the existance of /usr/sbin/incept and if binary is found then incept malware into device, and if binary is not found then do nothing.

So 1st you should make /usr/sbin/incept to set and query some custom password to able to be run it (which would not be rootme ie force change of default passwd).

coderus 2012-03-26 15:19
Re: Announcing INCEPTION: Deeper access to your N9
 
tried to make sudo work with all credentials, no succes. too little skill in linux. need help =)

zszabo 2012-03-26 18:59
Re: Announcing INCEPTION: Deeper access to your N9
 
Quote:
Originally Posted by coderus (Post 1184282)
tried to make sudo work with all credentials, no succes. too little skill in linux. need help =)
After running

Code:
/usr/sbin/incept sudo_1.6.8p12-4osso28+0m6_armel.deb
Run

Code:
EDITOR=/usr/bin/vi /usr/sbin/visudo
to edit the sudoers file.

A guide on the sudoers file (content, syntax) can be found here: https://help.ubuntu.com/community/Sudoers

coderus 2012-03-26 19:19
Re: Announcing INCEPTION: Deeper access to your N9
 
man, i know. i trying to compile sudo to have all credentials. my last success is:
Code:
~ $ sudo su
Password:


BusyBox v1.20.0.git (MeeGo 3:1.20-0.1+0m7) built-in shell (ash)
Enter 'help' for a list of built-in commands.

~ # accli -I
Current mode: open
IMEI: 357923040175103
Credentials:
        UID::root
        GID::root
        CAP::chown
        CAP::dac_override
        CAP::dac_read_search
        CAP::fowner
        CAP::fsetid
        CAP::kill
        CAP::setgid
        CAP::setuid
        CAP::linux_immutable
        CAP::net_bind_service
        CAP::net_broadcast
        CAP::net_admin
        CAP::net_raw
        CAP::ipc_lock
        CAP::ipc_owner
        CAP::sys_module
        CAP::sys_rawio
        CAP::sys_chroot
        CAP::sys_ptrace
        CAP::sys_pacct
        CAP::sys_admin
        CAP::sys_boot
        CAP::sys_nice
        CAP::sys_resource
        CAP::sys_time
        CAP::sys_tty_config
        CAP::mknod
        CAP::lease
        CAP::audit_write
        CAP::audit_control
        CAP::setfcap
        CAP::mac_override
        CAP::mac_admin
        GRP::root
        GRP::adm
        GRP::dialout
        GRP::pulse-access

zszabo 2012-03-26 19:32
Re: Announcing INCEPTION: Deeper access to your N9
 
Since sudoers already contains a line that lets "user" run anything, how about:

Code:
/usr/bin/sudo /bin/opensh -c /bin/bash --rcfile <rc filename>
(provided you have bash)

That gives me all credentials.


All times are GMT. The time now is 12:01.
Page 14 of 22 « First 41213 14 1516 Last »
Show 40 post(s) from this thread on one page

vBulletin® Version 3.8.8