Active Topics

 


Closed Thread
Thread Tools
Posts: 1,067 | Thanked: 2,383 times | Joined on Jan 2012 @ Finland
#131
Originally Posted by wicket View Post
The second thing I discovered was that it is actually possible to run an incepted opensh shell as a regular user and gain full root privileges without needing to supply a root password!

This is obviously a huge security hole. I'd also like know if this problem occurs when running opensh under an open-mode kernel.

I suggest that anyone using an incepted opensh locks down both /bin/opensh and /bin/open-sh executables with 700 permissions until this is sorted.
Obviously inception as such is a huge security hole. It has been always known that if you want to bypass password query you install opensh, and if you want to have the password query, then you incept develsh. As only difference between develsh and opensh is the default current user vs. setuid(0).
 
Posts: 1,067 | Thanked: 2,383 times | Joined on Jan 2012 @ Finland
#132
Originally Posted by wicket View Post
I've noticed a couple of oddities when running an incepted opensh.

First of all, I am unable to run a simple shell script under opensh:
There is nothing odd in your paste, it behaves just like aegis should. If you find that odd, then most likely you shouldn't have installed inception or incepted opensh, or atleast you should 1st study how aegis is supposed to work. http://harmattan-dev.nokia.com/docs/...ity_guide.html
 
Posts: 245 | Thanked: 915 times | Joined on Feb 2012
#133
Originally Posted by wicket View Post
The second thing I discovered was that it is actually possible to run an incepted opensh shell as a regular user and gain full root privileges without needing to supply a root password!

<snip>
This is why installing opensh is optional - it makes things wide open, often more so than you want. I've been meaning to build a replacement that has a password prompt, ā la sudo. (If someone else is interested in implementing one, that would be greatly appreciated; what INCEPTION needs is apps, apps, and more apps!)

Note that as long as Aegis is exploitable, an evil unprivileged app could still obtain full access even without opensh - it would just be more difficult. opensh is essentially poking a hole through a dam that's already leaky.

@rainisto develsh doesn't have a password prompt either, though - so if incepting it does grant it full privileges, doing so is exactly as much of an issue as installing opensh, I'd imagine.
 
wicket's Avatar
Posts: 634 | Thanked: 3,266 times | Joined on May 2010 @ Colombia
#134
Well I knew that the purpose of opensh was to provide real root, what I didn't realise was that setuid(0), setgid(0) was used to achieve this. I'll admit I was naive to install it without knowing this but what surprised me was how nothing has been done to lock it down. To quote the author (http://maemo.cloud-7.de/HARM/N9/openmode_kernel_PR1.1/):

Q: But isn't it a big security risk?
---------------------------------
A: Not at all, as user needs to boot into open mode kernel, something that no malware
could do. Of course once you switched "to the dark side" and got opensh installed
on your system, it is basically as safe or vulnerable to malware attacks as any other
linux system, maybe marginally better still thanks aegis.
No way is the default install of opensh as safe as any Linux system. Perhaps most people here find it acceptable to be able to gain root access without some form of password or key. Fremantle's rootsh was just as vulnerable.
 
Posts: 245 | Thanked: 915 times | Joined on Feb 2012
#135
Originally Posted by wicket View Post
Well I knew that the purpose of opensh was to provide real root, what I didn't realise was that setuid(0), setgid(0) was used to achieve this. I'll admit I was naive to install it without knowing this but what surprised me was how nothing has been done to lock it down. To quote the author (http://maemo.cloud-7.de/HARM/N9/openmode_kernel_PR1.1/):



No way is the default install of opensh as safe as any Linux system. Perhaps most people here find it acceptable to be able to gain root access without some form of password or key. Fremantle's rootsh was just as vulnerable.
If opensh asserted all Aegis credentials, but didn't switch to the root user, one could still trivially become root using either the tcb or CAP::setuid credentials, both of which would be available. Merely having opensh run as the current user wouldn't do anything at all to improve security.

Under other circumstances I'd be a bit more fervent about locking down access to credentials/root, but with Harmattan as it is I'm afraid it's a bit of a lost cause. That said, the Aegis-aware sudo I proposed earlier is definitely something that's required.

Edit: Also, you can get rid of opensh without getting rid of INCEPTION - just do apt-get remove opensh from a root shell and you're set.

Last edited by itsnotabigtruck; 2012-03-26 at 05:15.
 
Posts: 1,067 | Thanked: 2,383 times | Joined on Jan 2012 @ Finland
#136
And ofcourse the real security hole is that one can make application to ovi store, and which would check the existance of /usr/sbin/incept and if binary is found then incept malware into device, and if binary is not found then do nothing.

So 1st you should make /usr/sbin/incept to set and query some custom password to able to be run it (which would not be rootme ie force change of default passwd).

Last edited by rainisto; 2012-03-26 at 05:01.
 
coderus's Avatar
Posts: 6,436 | Thanked: 12,701 times | Joined on Nov 2011 @ Ängelholm, Sweden
#137
tried to make sudo work with all credentials, no succes. too little skill in linux. need help =)
 

The Following User Says Thank You to coderus For This Useful Post:
Posts: 64 | Thanked: 42 times | Joined on Jun 2009
#138
Originally Posted by coderus View Post
tried to make sudo work with all credentials, no succes. too little skill in linux. need help =)
After running

Code:
/usr/sbin/incept sudo_1.6.8p12-4osso28+0m6_armel.deb
Run

Code:
EDITOR=/usr/bin/vi /usr/sbin/visudo
to edit the sudoers file.

A guide on the sudoers file (content, syntax) can be found here: https://help.ubuntu.com/community/Sudoers

Last edited by zszabo; 2012-03-26 at 19:03.
 

The Following User Says Thank You to zszabo For This Useful Post:
coderus's Avatar
Posts: 6,436 | Thanked: 12,701 times | Joined on Nov 2011 @ Ängelholm, Sweden
#139
man, i know. i trying to compile sudo to have all credentials. my last success is:
Code:
~ $ sudo su
Password:


BusyBox v1.20.0.git (MeeGo 3:1.20-0.1+0m7) built-in shell (ash)
Enter 'help' for a list of built-in commands.

~ # accli -I
Current mode: open
IMEI: 357923040175103
Credentials:
	UID::root
	GID::root
	CAP::chown
	CAP::dac_override
	CAP::dac_read_search
	CAP::fowner
	CAP::fsetid
	CAP::kill
	CAP::setgid
	CAP::setuid
	CAP::linux_immutable
	CAP::net_bind_service
	CAP::net_broadcast
	CAP::net_admin
	CAP::net_raw
	CAP::ipc_lock
	CAP::ipc_owner
	CAP::sys_module
	CAP::sys_rawio
	CAP::sys_chroot
	CAP::sys_ptrace
	CAP::sys_pacct
	CAP::sys_admin
	CAP::sys_boot
	CAP::sys_nice
	CAP::sys_resource
	CAP::sys_time
	CAP::sys_tty_config
	CAP::mknod
	CAP::lease
	CAP::audit_write
	CAP::audit_control
	CAP::setfcap
	CAP::mac_override
	CAP::mac_admin
	GRP::root
	GRP::adm
	GRP::dialout
	GRP::pulse-access
 

The Following User Says Thank You to coderus For This Useful Post:
Posts: 64 | Thanked: 42 times | Joined on Jun 2009
#140
Since sudoers already contains a line that lets "user" run anything, how about:

Code:
/usr/bin/sudo /bin/opensh -c /bin/bash --rcfile <rc filename>
(provided you have bash)

That gives me all credentials.
 
Closed Thread

Tags
harmattan, inception, root-access


 
Forum Jump


All times are GMT. The time now is 07:04.