Closed nerdtron123 closed 7 years ago
postinst scripts already run as root, so what would runAsSuperUser allow for that a regular postinst can't do?
allowing us to execute that anywhere we want.
For example?
lol that doesn't make sense
With your runAsSuperuser binary, people can run commands as root from any user.
On Friday, April 21, 2017, Jamie Bishop notifications@github.com wrote:
lol that doesn't make sense
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/JohnCoatesOSS/Limitless/issues/103#issuecomment-296213423, or mute the thread https://github.com/notifications/unsubscribe-auth/AICNx06bYkFSTHjVtaSH76wwODNNZeRdks5ryMMZgaJpZM4MISES .
They can do that anyway in postinst, just su?
But any application without sandbox can do priv escl, If you see how cydia designed, it's only allowed from cydia binary
On Sat, Apr 22, 2017 at 6:34 AM, Jamie Bishop notifications@github.com wrote:
They can do that anyway in postinst, just su?
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/JohnCoatesOSS/Limitless/issues/103#issuecomment-296364371, or mute the thread https://github.com/notifications/unsubscribe-auth/AICNxyY-wKJ9QSulVBpGAsqiTuXWy_jpks5ryde7gaJpZM4MISES .
@nerdtron123 I've seen how Cydia designed it, but it's a moot point. Anything you install through Cydia can already run root commands. When you SSH into the device you're already running root. What's the attack vector you're envisioning?
means people can attack other people with limitless, if they're outside of sandbox on mobile or w/e
On Fri, May 5, 2017 at 3:03 PM, John Coates notifications@github.com wrote:
@nerdtron123 https://github.com/nerdtron123 I've seen how Cydia designed it, but it's a moot point. Anything you install through Cydia can already run root commands. When you SSH into the device you're already running root. What's the attack vector you're envisioning?
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/JohnCoatesOSS/Limitless/issues/103#issuecomment-299549499, or mute the thread https://github.com/notifications/unsubscribe-auth/AICNx5-59mM_RoQfaNH4q5_7WwueFiRuks5r23JwgaJpZM4MISES .
I'm closing this since I can't see a way someone can run a command on an iOS device, but is limited to mobile. If you can think of a way that isn't extremely vague, let me know
it seems to run any command as root or dpkg binaries as root, allowing us to do postinst scripts via malicious code etc etc