Jonathan Simpson on 6 Dec 2018 14:46:14 -0800


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Yet another fresh linux exploit

In a hypothetical environment (perhaps shared hosting environment?) where non-privileged users can cause the creation of new accounts, I suppose someone could exploit this to create enough accounts to exceed the limit and then gain access?

In short, you just need to be the shared servers 2-billionth (and change) customer to "win." Sounds like a early 2000s banner ad to me.

On Thu, Dec 6, 2018 at 4:04 PM Fred Stluka <fred@bristle.com> wrote:
Michael,

Is this a practical problem?  That is, do many (any?) Linux systems
have UIDs greater than 2,147,483,646?.  Do they use negative
numbers?

By default my Linux boxes typically have UIDs 0 to 499 for special
users, and 500 on up for regular users.  But they count up from 500
by ones, so it would take a LONG time to get to UID 2,147,483,647.
I don't expect to ever admin a system that has over 2 BILLION past or
present users.

I agree it's a bug and should be fixed.  But is there any real urgency
for this one?  For example, is there some package I'm likely to add to
my system that creates UID that are huge or negative?

Thanks!
--Fred
------------------------------------------------------------------------
Fred Stluka -- Bristle Software, Inc. -- http://bristle.com
#DontBeATrump -- Make America Honorable Again!
------------------------------------------------------------------------

On 12/6/18 12:32 PM, Michael Lazin wrote:
> https://thehackernews.com/2018/12/linux-user-privilege-policykit.html
>
> --
> Michael Lazin
>
> to gar auto estin noein te kai ennai
>
>
> ___________________________________________________________________________
> Philadelphia Linux Users Group         --        http://www.phillylinux.org
> Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
> General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug