search

antonpaquin / Telekinesis

Allows secure creation and execution of scripts over a REST API
0 stars 0 forks source link

Running user is allowed to modify the security database #1

Open antonpaquin opened 6 years ago

antonpaquin commented 6 years ago

If the user that executes remote scripts is the same as the user that creates and runs the telekinesis service itself, then remote users are able to create a script that opens the security database and rewrites their permissions.

In that scenario, script.create and script.update.[x] can be trivially escalated to full permissions.

To prevent this:

  1. Create a new OS user who will execute telekinesis scripts
  2. Set permissions on that user to prevent anything unwanted from happening
  3. Before running, chown "run.py" or the binary to that user, and chmod it 6777
antonpaquin commented 6 years ago

Current issue: I need to mess around with the execution code so that it changes user properly.