Comment 4 for bug 1447871
Revision history for this message
| Tristan Cacqueray (tristan-cacqueray) wrote | #4 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
70fb091
demo site
(Get the code!)
Tested on liberty using trove-integration script, the demo user is able to use the "root-enable" command which create an administrator account on the datastore.
So unless secure_file_priv (for mysql) is set, a user is able to create file in /tmp using SELECT INTO OUTFILE with the root account and leverage guest-agent /tmp usage to get shell access.
This seems like a serious enough flaw to warrant an advisory and fix the guest agent.