2002-10-29 11:02:43

by Olaf Dietsche

[permalink] [raw]
Subject: Re: [PATCH][RFC] 2.5.44 (1/2): Filesystem capabilities kernel patch

Olaf Dietsche <olaf.dietsche#[email protected]> writes:

> Olaf Dietsche <olaf.dietsche#[email protected]> writes:
>
>> <[email protected]> writes:
>>
>>> On Mon, 28 Oct 2002, Olaf Dietsche wrote:
>>>
>>>> If you're careful with giving away capabilities however, this patch
>>>> can make your system more secure as it is. But this isn't fully
>>>> explored, so you might achieve the opposite and open new security
>>>> holes.
>
> Famous last words :-(
>
>>>
>>> Have you checked how glibc handles an executable with filesystem
>>> capabilities? e.g. can an LD_PRELOAD hack subvert the privileged
>>> executable?
>>
>> No, I didn't check. Thanks for this hint, I will look into this.

Executables with inheritable sets only are not affected. A regular
user may use LD_PRELOAD, but he is not able to gain additional
privileges.

> I just downloaded glibc 2.3.1 and would say you can subvert a
> privileged executable with LD_PRELOAD. There's no mention of
> PR_GET_DUMPABLE anywhere and __libc_enable_secure is set according to
> some euid/egid tests.

This means setting the executable to SGID nogroup or a similar hack
would close at least some of the security holes for now.

Regards, Olaf.