|
From: | Tobias Geerinckx-Rice |
Subject: | bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix) |
Date: | Mon, 14 Oct 2019 13:53:35 +0200 |
Ludo', Thanks for your report :-p The 1777 is obviously very bad, no question. However: question: Ludovic Courtès 写道:
I don’t see how to let the daemon create ‘per-user/$USER’ on behalf of the client for clients connecting over TCP. Or we’d need to add achallenge mechanism or authentication.
I need more cluebat please: say I'm an attacker and connect to your daemon (over TCP, why not), asking it to create an empty ‘per-user/ludo’.
Assuming the daemon creates it with sane permissions (say 0755) & without any race conditions, what's my evil plan now?
Kind regards, T G-R
signature.asc
Description: PGP signature
[Prev in Thread] | Current Thread | [Next in Thread] |