Hi all, I read Tavis Ormandy's blog entry about suid exploits some time ago. Link is above. I looked out for directories on my system that a user has write access to and that are not on extra partitions mounted nosuid. Here's the list: /usr/share/texmf/fonts /usr/share/texmf/fonts/tfm /usr/share/texmf/fonts/tfm/hoekwater /usr/share/texmf/fonts/tfm/hoekwater/context /usr/share/texmf/fonts/tfm/bh /usr/share/texmf/fonts/tfm/bh/lucidfax /usr/share/texmf/fonts/tfm/bh/lumath /usr/share/texmf/fonts/tfm/bh/lucida /usr/share/texmf/fonts/tfm/bh/lucsans /usr/share/texmf/fonts/tfm/bh/lubright /usr/share/texmf/fonts/tfm/cg /usr/share/texmf/fonts/tfm/cg/helvetic /usr/share/texmf/fonts/tfm/cg/lettrgth /usr/share/texmf/fonts/tfm/cg/garamond /usr/share/texmf/fonts/tfm/cg/marigold /usr/share/texmf/fonts/tfm/cg/wingding /usr/share/texmf/fonts/tfm/cg/albertus /usr/share/texmf/fonts/tfm/cg/coronet /usr/share/texmf/fonts/tfm/cg/courier /usr/share/texmf/fonts/tfm/cg/univers /usr/share/texmf/fonts/tfm/cg/timesnew /usr/share/texmf/fonts/tfm/cg/clarendo /usr/share/texmf/fonts/tfm/cg/times /usr/share/texmf/fonts/tfm/cg/atqolive /usr/share/texmf/fonts/tfm/cg/symbol /usr/share/texmf/fonts/tfm/cg/optima /usr/share/texmf/fonts/tfm/public /usr/share/texmf/fonts/tfm/public/pxfonts /usr/share/texmf/fonts/tfm/public/vnr /usr/share/texmf/fonts/tfm/public/concrete /usr/share/texmf/fonts/tfm/public/ecc /usr/share/texmf/fonts/tfm/public/cmcyr /usr/share/texmf/fonts/tfm/public/misc /usr/share/texmf/fonts/tfm/public/euxm /usr/share/texmf/fonts/tfm/public/latex /usr/share/texmf/fonts/tfm/public/bbold /usr/share/texmf/fonts/tfm/public/cs /usr/share/texmf/fonts/tfm/public/wasy /usr/share/texmf/fonts/tfm/public/cmbright /usr/share/texmf/fonts/tfm/public/bbm /usr/share/texmf/fonts/tfm/public/ae /usr/share/texmf/fonts/tfm/public/qfonts /usr/share/texmf/fonts/tfm/public/antt /usr/share/texmf/fonts/tfm/public/xypic /usr/share/texmf/fonts/tfm/public/eurosym /usr/share/texmf/fonts/tfm/public/omega /usr/share/texmf/fonts/tfm/public/qpx /usr/share/texmf/fonts/tfm/public/cm /usr/share/texmf/fonts/tfm/public/pl /usr/share/texmf/fonts/tfm/public/txfonts /usr/share/texmf/fonts/tfm/public/antp /usr/share/texmf/fonts/tfm/public/concmath /usr/share/texmf/fonts/tfm/public/stmaryrd /usr/share/texmf/fonts/tfm/public/rsfs /usr/share/texmf/fonts/tfm/public/pazo /usr/share/texmf/fonts/tfm/public/mflogo /usr/share/texmf/fonts/tfm/public/cmextra /usr/share/texmf/fonts/tfm/public/cc-pl /usr/share/texmf/fonts/tfm/public/gothic /usr/share/texmf/fonts/tfm/public/marvosym /usr/share/texmf/fonts/tfm/public/qtx /usr/share/texmf/fonts/tfm/ams /usr/share/texmf/fonts/tfm/ams/euler /usr/share/texmf/fonts/tfm/ams/cyrillic /usr/share/texmf/fonts/tfm/ams/symbols /usr/share/texmf/fonts/tfm/ams/cmextra /usr/share/texmf/fonts/tfm/yandy /usr/share/texmf/fonts/tfm/yandy/mathtime /usr/share/texmf/fonts/tfm/yandy/mathplus /usr/share/texmf/fonts/tfm/yandy/times /usr/share/texmf/fonts/tfm/yandy/mathpi /usr/share/texmf/fonts/source/public/cs /usr/share/texmf/fonts/source/jknappen /usr/share/texmf/fonts/source/jknappen/ec /usr/share/texmf/fonts/source/jknappen/tc /usr/share/texmf/fonts/source/jknappen/sauter /usr/share/texmf/fonts/source/lh /usr/share/texmf/fonts/source/lh/lh-ot2 /usr/share/texmf/fonts/source/lh/lh-lcy /usr/share/texmf/fonts/source/lh/lh-t2a /usr/share/texmf/fonts/source/lh/lh-x2 /usr/share/texmf/fonts/source/lh/lh-t2b /usr/share/texmf/fonts/source/lh/specific /usr/share/texmf/fonts/source/lh/lh-t2c /usr/share/texmf/fonts/source/lh/nont2 /usr/share/texmf/fonts/source/lh/base /usr/share/texmf/fonts/source/lh/lh-t2d In these directories everybody has write access. /usr/share isn't usually something you put on a separate partition so it's usually mounted suid. I don't even see a reason why the tetex' font directories should be writable to everybody anyway. Is this a valid report or am I missing something? Regards Sebastian Reproducible: Always Steps to Reproduce: 1. Check tetex' font directories for their permissions 2. 3. Actual Results: Permissions are to lax, they could be used for suid exploits
text-markup, any comments?
Sorry everybody, the ebuild does indeed set proper permissions while merging. I messed up reporting this without checking properly. My bad. Regards Sebastian