[Gluster-infra] download.gluster.org was rooted

Michael Scherer mscherer at redhat.com
Thu Jun 4 09:32:02 UTC 2015 

Le jeudi 04 juin 2015 à 00:49 +0200, Michael Scherer a écrit :
> Le jeudi 04 juin 2015 à 00:01 +0200, Michael Scherer a écrit :
> > Le mercredi 03 juin 2015 à 17:09 -0400, Kaleb Keithley a écrit :
> > > I just deleted an suid-root /tmp/usr/bin/suexec script from download.gluster.org
> > 
> > We need to investigate a bit more...
> 
> And by that, I mean "we shouldn't remove clues". So it turn out that
> supercolony has the same issue :
> 
> [root at supercolony tmp]# ls -l usr/sbin/suexec 
> -r-s--x---. 1 root root 13984 Dec 19 16:05 usr/sbin/suexec
> 
> Looking at the log, I was connected at the same time, but the ip look
> like the one of the coworking space I work from, so I do think either
> the log have been tempered with, or this didn't came from ssh.
> 
> It look furiously similar to a regular suexec, same size of the binary,
> and dissambly do not so obvious difference ( I am not good enough to
> spot issue in the 3 lines of asm ).

So after sleeping on it and drinking, I found out the only difference is
the build-id and some debug related stuff.

suexec is also hardly exploitable as is, due to a ton of restrictions.

In fact, i cannot find any scenario where this would be a attacker. This
binary cannot be used to elevate privilege, and given the permission, it
was placed here by root or a root owned process, so if there was a hack,
it was not here. 

So I suspect some cronjob running somewhere that created it, or a bug in
some script.

Anyway, we should reinforce security.

Like selinux set to enforcing, and the noexec on /tmp is also a good
suggestion, having key only ssh, etc, etc.

Of course, we cannot get too aggressive on security as this might break
production. And not all servers are in salt (yet), so it is hard to
enforce a policy. 

But for me, this is case closed for now, unless someone has something
new.


-- 
Michael Scherer
Open Source and Standards, Sysadmin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <http://www.gluster.org/pipermail/gluster-infra/attachments/20150604/55fffdf6/attachment-0001.sig>

More information about the Gluster-infra mailing list