Security guy here. I had the chance to look over this project and try it out today. I have no less than 5 ways to acquire root privileges from an unprivileged user in the 15 minutes I looked at it. Has anyone audited this distro in the past 10 years?
Do you plan on documenting and contributing an actual critique or just making an unverifiable internet jab? Because if you're serious then the project would probably welcome knowing the specific so they can evaluate their system design.
Yes, I mentioned in another comment (at the time of your comment) that I planned on doing a more comprehensive writeup at a later date. If what you're saying is my claims are unverifiable, you're correct. I generally don't publish any of my research unless there's a way to keep my lights on. The good news is, I should be able to soon.
Depends on their popularity. For Ubuntu, Debian, RHEL, Mint, MX Linux, etc. it took me 10 years to find a single LPE. Special case Linux distros, like those for audio editing or signal processing, have about 1-3 LPE's in the first 30 min to an hour I look at them. And GoboLinux.. broken permissions, broken trust of library load paths, root SUIDs with 5 LPE issues at a glance of the source. They even gave some regular binaries root privileges because why not. I didn't look into the root services running or writable paths because I assumed those would be vulnerable too. The question is not if you can get root, but how many ways there are to get root. I was running GoboLinux in a 15 minute session, and once it expired I didn't start a new one.
I'll come back to it and do a more comprehensive audit. I haven't released any zerodays I've found, ever, but recently I was thinking about making a blog. This might be some good material.
I have. Only so far as to test if another zeroday I created worked. It did because it shares a lot of similarities with other Debian-based targets. I haven't tested Tails further, because there are no ethical buyers of Tails vulnerabilities.
I spent about an hour on this after your comment. Honestly, I was pretty lost in the filesystem for half of that time. I have never used either distro.
My copy of NixOS had no password on the root user by default, which is not ideal but I assume most deployments aren't like that (right?). I was able to become other users on GuixSD using the SUID's the distro ships with, but not root. Not yet. The surface is much larger on both of those distros than the mainstream OS's. I may be able to pull of a root LPE, but I'd need to look for a full day at least.
