Active Topics
-
Sailfish OS for the Motorola Moto G7 Power (XT1955-5) - (ocean) (4)
to SailfishOS by Maemish - 1 hr, 52 mins ago -
The N900 is now 15 years old! (6)
to Nokia N900 by Macros - 1 day, 22 hrs ago -
F(x)tec Pro1x (QWERTY) for sale (0)
to Buy & Sell by aln00000 - 2 days, 10 hrs ago -
n770 youtube video (0)
to General by nmdv - 6 days, 10 hrs ago - more...
rainisto |
2012-03-25
, 20:18
|
|
Posts: 1,067 |
Thanked: 2,383 times |
Joined on Jan 2012
@ Finland
|
#131
|
Originally Posted by wicket
Obviously inception as such is a huge security hole. It has been always known that if you want to bypass password query you install opensh, and if you want to have the password query, then you incept develsh. As only difference between develsh and opensh is the default current user vs. setuid(0).
|
|
2012-03-25
, 20:30
|
|
Posts: 1,067 |
Thanked: 2,383 times |
Joined on Jan 2012
@ Finland
|
#132
|
Originally Posted by wicket
There is nothing odd in your paste, it behaves just like aegis should. If you find that odd, then most likely you shouldn't have installed inception or incepted opensh, or atleast you should 1st study how aegis is supposed to work. http://harmattan-dev.nokia.com/docs/...ity_guide.html
I've noticed a couple of oddities when running an incepted opensh.
First of all, I am unable to run a simple shell script under opensh:
|
|
2012-03-25
, 21:58
|
|
Posts: 245 |
Thanked: 915 times |
Joined on Feb 2012
|
#133
|
Originally Posted by wicket
This is why installing opensh is optional - it makes things wide open, often more so than you want. I've been meaning to build a replacement that has a password prompt, ā la sudo. (If someone else is interested in implementing one, that would be greatly appreciated; what INCEPTION needs is apps, apps, and more apps!)
The second thing I discovered was that it is actually possible to run an incepted opensh shell as a regular user and gain full root privileges without needing to supply a root password!
<snip>
Note that as long as Aegis is exploitable, an evil unprivileged app could still obtain full access even without opensh - it would just be more difficult. opensh is essentially poking a hole through a dam that's already leaky.
@rainisto develsh doesn't have a password prompt either, though - so if incepting it does grant it full privileges, doing so is exactly as much of an issue as installing opensh, I'd imagine.
__________________
 |
|
2012-03-25
, 23:59
|
|
Posts: 634 |
Thanked: 3,266 times |
Joined on May 2010
@ Colombia
|
#134
|
Well I knew that the purpose of opensh was to provide real root, what I didn't realise was that setuid(0), setgid(0) was used to achieve this. I'll admit I was naive to install it without knowing this but what surprised me was how nothing has been done to lock it down. To quote the author (http://maemo.cloud-7.de/HARM/N9/openmode_kernel_PR1.1/):
No way is the default install of opensh as safe as any Linux system. Perhaps most people here find it acceptable to be able to gain root access without some form of password or key. Fremantle's rootsh was just as vulnerable.
Q: But isn't it a big security risk?
---------------------------------
A: Not at all, as user needs to boot into open mode kernel, something that no malware
could do. Of course once you switched "to the dark side" and got opensh installed
on your system, it is basically as safe or vulnerable to malware attacks as any other
linux system, maybe marginally better still thanks aegis.
|
|
2012-03-26
, 03:54
|
|
Posts: 245 |
Thanked: 915 times |
Joined on Feb 2012
|
#135
|
Originally Posted by wicket
If opensh asserted all Aegis credentials, but didn't switch to the root user, one could still trivially become root using either the tcb or CAP::setuid credentials, both of which would be available. Merely having opensh run as the current user wouldn't do anything at all to improve security.
Well I knew that the purpose of opensh was to provide real root, what I didn't realise was that setuid(0), setgid(0) was used to achieve this. I'll admit I was naive to install it without knowing this but what surprised me was how nothing has been done to lock it down. To quote the author (http://maemo.cloud-7.de/HARM/N9/openmode_kernel_PR1.1/):
No way is the default install of opensh as safe as any Linux system. Perhaps most people here find it acceptable to be able to gain root access without some form of password or key. Fremantle's rootsh was just as vulnerable.
Under other circumstances I'd be a bit more fervent about locking down access to credentials/root, but with Harmattan as it is I'm afraid it's a bit of a lost cause. That said, the Aegis-aware sudo I proposed earlier is definitely something that's required.
Edit: Also, you can get rid of opensh without getting rid of INCEPTION - just do apt-get remove opensh from a root shell and you're set.
__________________
Last edited by itsnotabigtruck; 2012-03-26 at 05:15.
|
|
2012-03-26
, 04:59
|
|
Posts: 1,067 |
Thanked: 2,383 times |
Joined on Jan 2012
@ Finland
|
#136
|
And ofcourse the real security hole is that one can make application to ovi store, and which would check the existance of /usr/sbin/incept and if binary is found then incept malware into device, and if binary is not found then do nothing.
So 1st you should make /usr/sbin/incept to set and query some custom password to able to be run it (which would not be rootme ie force change of default passwd).
Last edited by rainisto; 2012-03-26 at 05:01.
So 1st you should make /usr/sbin/incept to set and query some custom password to able to be run it (which would not be rootme ie force change of default passwd).
Last edited by rainisto; 2012-03-26 at 05:01.
|
|
2012-03-26
, 18:59
|
|
Posts: 64 |
Thanked: 42 times |
Joined on Jun 2009
|
#138
|
Originally Posted by coderus
After running
tried to make sudo work with all credentials, no succes. too little skill in linux. need help =)
Code:
/usr/sbin/incept sudo_1.6.8p12-4osso28+0m6_armel.deb
Code:
EDITOR=/usr/bin/vi /usr/sbin/visudo
A guide on the sudoers file (content, syntax) can be found here: https://help.ubuntu.com/community/Sudoers
Last edited by zszabo; 2012-03-26 at 19:03.
| The Following User Says Thank You to zszabo For This Useful Post: | ||
 |
|
2012-03-26
, 19:19
|
|
Posts: 6,436 |
Thanked: 12,701 times |
Joined on Nov 2011
@ Ängelholm, Sweden
|
#139
|
man, i know. i trying to compile sudo to have all credentials. my last success is:
Code:
~ $ sudo su Password: BusyBox v1.20.0.git (MeeGo 3:1.20-0.1+0m7) built-in shell (ash) Enter 'help' for a list of built-in commands. ~ # accli -I Current mode: open IMEI: 357923040175103 Credentials: UID::root GID::root CAP::chown CAP::dac_override CAP::dac_read_search CAP::fowner CAP::fsetid CAP::kill CAP::setgid CAP::setuid CAP::linux_immutable CAP::net_bind_service CAP::net_broadcast CAP::net_admin CAP::net_raw CAP::ipc_lock CAP::ipc_owner CAP::sys_module CAP::sys_rawio CAP::sys_chroot CAP::sys_ptrace CAP::sys_pacct CAP::sys_admin CAP::sys_boot CAP::sys_nice CAP::sys_resource CAP::sys_time CAP::sys_tty_config CAP::mknod CAP::lease CAP::audit_write CAP::audit_control CAP::setfcap CAP::mac_override CAP::mac_admin GRP::root GRP::adm GRP::dialout GRP::pulse-access
| The Following User Says Thank You to coderus For This Useful Post: | ||
|
|
2012-03-26
, 19:32
|
|
Posts: 64 |
Thanked: 42 times |
Joined on Jun 2009
|
#140
|
Since sudoers already contains a line that lets "user" run anything, how about:
(provided you have bash)
That gives me all credentials.
Code:
/usr/bin/sudo /bin/opensh -c /bin/bash --rcfile <rc filename>
That gives me all credentials.
 |
| Tags |
| harmattan, inception, root-access |
«
Previous Thread
|
Next Thread
»
|
All times are GMT. The time now is 07:04.