undefined | Better HN

0 pointscharcircuit1mo ago0 comments

The remote daemon has its own account and is given a privilege that allows it to connect a network socket to a pseudo terminal.

0 comments

esseph1mo ago

Any breach of the daemon will still give access to a system that can approve/deny user logins. Breaching the daemon therefore allows permission escalation, because you can simply jump to an account. Chain with any local vuln of your choice to completely own the box.

It doesn't matter what user it is running as.

If this was so easy to deal with, someone would have done it. Instead, we get endless HN comments about people that act like they can do better but never submit a PR.

charcircuitOP1mo ago

Breaching the daemon only allows for the attacker to get access to the login. User accounts should still be secured requiring authentication.

>If this was so easy to deal with, someone would have done it.

Sadly this is not the case. There is a lot of inertia towards solutions like ssh or sudo. It may be easy to delete them, but actually getting such a changed accepted is no trivial task.

esseph1mo ago

> Breaching the daemon only allows for the attacker to get access to the login

Yes, but potentially any login. See the problem? If you compromise the gatekeeper, you are now the keymaster. Or whatever :)

1 more reply

direwolf201mo ago

Those are already unprivileged operations, but how does it start the initial process in that terminal with the correct privileges for a different user?

charcircuitOP1mo ago

The kernel could authenticate the user before starting it.

direwolf201mo ago

How does it do that?

1 more reply

j / k navigate · click thread line to collapse

0 comments

esseph1mo ago

It doesn't matter what user it is running as.

If this was so easy to deal with, someone would have done it. Instead, we get endless HN comments about people that act like they can do better but never submit a PR.

charcircuitOP1mo ago

Breaching the daemon only allows for the attacker to get access to the login. User accounts should still be secured requiring authentication.

>If this was so easy to deal with, someone would have done it.

Sadly this is not the case. There is a lot of inertia towards solutions like ssh or sudo. It may be easy to delete them, but actually getting such a changed accepted is no trivial task.

esseph1mo ago

> Breaching the daemon only allows for the attacker to get access to the login

Yes, but potentially any login. See the problem? If you compromise the gatekeeper, you are now the keymaster. Or whatever :)

1 more reply

direwolf201mo ago

Those are already unprivileged operations, but how does it start the initial process in that terminal with the correct privileges for a different user?

charcircuitOP1mo ago

The kernel could authenticate the user before starting it.

direwolf201mo ago

How does it do that?

1 more reply

j / k navigate · click thread line to collapse