root-equivalent groups

[psz () maths usyd edu au]

Most UNIX/Linux installations have some groups (or users) whose members may
be able to become root, for example:

        Group   What            Do
        bin     /usr/bin        create trojan
        disk    /dev/hda        raw write and create setuid root
        kmem    /dev/kmem       read root password
        shadow  /etc/shadow     crack root password
        staff   /usr/local/bin  create trojan
        tape    /dev/st0        read confidential backup tape
        tty     /dev/tty        add keystrokes, run any code
        
Often there are no users in these groups nor setgid binaries, so this may
not matter; and in fact be useless, could be owned by root instead. Group
staff is probably special in that administrators may add users to that
group, thinking that this is a lesser privilege than root.

Even in the absence of users in the group, it may be possible for attackers
to "get" that group, via become-any-group-but-root bugs. Such bugs are
quite common: when a group of machines share writable (e.g. user home)
directories via NFS exported from somewhere with default root-squash,
getting root on any one machine gives precisely that on all others of the
group. There have been "genuine" such bugs also e.g. in sendmail.

Please ensure that you are safe: review your use of root-equivalent groups,
file ownerships, and NFS configurations.

For some more discussion please see  http://bugs.debian.org/299007 .

Cheers,

Paul Szabo   psz () maths usyd edu au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia