Reply to post: Re: The real culprit

Get root on an OS X 10.10 Mac: The exploit is so trivial it fits in a tweet

Vic

Re: The real culprit

Maybe someone can comment about whether SELinux capabilities would be good safety net against such mishaps.

Assuming the SELinux contexts were set up properly[1], the exploit as posted would be entirely obviated; newgrp has no need to write to sudoers, and would not be permitted to do so, even if it were being run by root.

That said, something like visudo (if installed) would get around that ;-(

Vic.

[1] I've seen SELinux set up in pretty much an "allow everything" mode; it's *technicallly* running, but provides essentially no protection at all. This is, quite obviously, not how you're supposed to do things...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019