[Alpine-info] Possible security vulnerability?

[John Carter]

On Tue, 20 May 2008, Matt Ackeret wrote:


> On Tue, 20 May 2008, John Carter wrote:

>> Note 6. An effective way of exploring these issues is to use strace to

>> intercept system calls. Except you have to be able to follow through

>> fork/exec pairs. Thus you need to sudo it. This unfortunately loses

>> you ~/.pinerc settings. However, my cunning double sudo seems to

>> work..

>

> can't you just

>

> sudo strace alpine -p ~myuser/.pinerc

> ???

> (obviously I'm leaving out some of the arguments, but you get the idea,

> just point it at the user directly..  Then I think you're getting

> alpine run as the real user, maybe not.)


The way I read that is...
   * It won't follow fork/exec's you need -f for that.

   * It will run alpine as root, and if it creates / mucks with any
     files (which it does) they may well be owned by root. Which may
     cause interesting new and different issues for you later.

   * There may be other aspects of alpine's behaviour, apart from where
     it gets it's .pinerc, that differs if you are a different and more
     privileged user.

   * I use this trick for exploring security issues. ie. I'm already
     feeling a bit paranoid. Exploring such issues _and_ giving the
     suspect tool root privilege makes me very nervous.

So I think I'll stick with the double sudo.

sudo strace -v -f -o tlog -s 1024 sudo -u MYUSERNAME -H alpine



John Carter                             Phone : (64)(3) 358 6639
Tait Electronics                        Fax   : (64)(3) 359 4632
PO Box 1645 Christchurch                Email : john.carter at tait.co.nz
New Zealand