Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://pony.social/users/cult/statuses/113205801415230463">CULTPONY :verified: :verified: (cult@pony.social)'s status on Friday, 27-Sep-2024 05:50:51 JST</a><a href="https://pony.social/@cult" title="cult@pony.social"><img src="https://gnusocial.jp/avatar/20077-48-20231024042554.webp" width="48" height="48" alt="CULTPONY :verified: :verified:" style="position: absolute; left: 0; top: 0;">CULTPONY :verified: :verified:</a><div><a href="https://friedcheese.us/objects/ff7f7b4d-0bc4-4114-b17e-d4c71977089d" rel="in-reply-to">in reply to</a><ul><li></ul></div></section><article><p><a href="https://friedcheese.us/users/feld" rel="nofollow noreferrer">@feld</a> low effort code execution will do that, even if it's "just LPD user" gated. Write access to /tmp as LPD in theory isn't bad but what software checks if it's /tmp files were written by the correct user? Could in theory abuse that to smuggle some other stuff in. Deploying a remote terminal shouldn't be difficult either.</p><p>Running code on a system as system user but not root is still a place of massive opportunities (seen more than a share of code that assumes any user ID with three digits or less is privileged and should be allowed to do things with other things).</p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/3733244#notice-7309923">In conversation</a><time datetime="2024-09-27T05:50:51+09:00" title="Friday, 27-Sep-2024 05:50:51 JST">about 2 months ago</time> <span>from <span><a href="https://pony.social/@cult/113205801415230463" rel="external" title="Sent from pony.social via ActivityPub">pony.social</a></span></span><a href="https://pony.social/@cult/113205801415230463">permalink</a></footer></blockquote>

Corresponding Notice

Embed this notice
CULTPONY :verified: :verified: (cult@pony.social)'s status on Friday, 27-Sep-2024 05:50:51 JSTCULTPONY :verified: :verified:
in reply to
- feld
@feld low effort code execution will do that, even if it's "just LPD user" gated. Write access to /tmp as LPD in theory isn't bad but what software checks if it's /tmp files were written by the correct user? Could in theory abuse that to smuggle some other stuff in. Deploying a remote terminal shouldn't be difficult either.
Running code on a system as system user but not root is still a place of massive opportunities (seen more than a share of code that assumes any user ID with three digits or less is privileged and should be allowed to do things with other things).
In conversationabout 2 months ago from pony.socialpermalink

Public

Embed Notice

HTML Code

Corresponding Notice