Message-ID: <40781588.7080503@stanford.edu>
Date: Sat, 10 Apr 2004 08:40:56 -0700
From: Andy Lutomirski <luto@stanford.edu>
User-Agent: Mozilla Thunderbird 0.5 (Windows/20040207)
MIME-Version: 1.0
To: Olaf Dietsche <olaf+list.linux-kernel@olafdietsche.de>
CC: Andy Lutomirski <luto@myrealbox.com>,
       Kernel Mailing List <linux-kernel@vger.kernel.org>, akpm@osdl.org,
       torvalds@osdl.org
Subject: Re: [PATCH, local root on 2.4, 2.6?] compute_creds race
References: <4076F02E.1000809@myrealbox.com> <87fzbc19d5.fsf@goat.bogus.local>
In-Reply-To: <87fzbc19d5.fsf@goat.bogus.local>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 1234
Lines: 40

Olaf Dietsche wrote:

> Andy Lutomirski <luto@myrealbox.com> writes:
> 
> 
>>The setuid program is now running with uid=euid=500 but full permitted
>>capabilities.  There are two (or three) ways to effectively get local
>>root now:
> 
> 
> What about this slightly shorter fix?
> 
> diff -urN a/fs/exec.c b/fs/exec.c
> --- a/fs/exec.c	Fri Mar 12 01:19:06 2004
> +++ b/fs/exec.c	Sat Apr 10 10:54:20 2004
> @@ -942,6 +942,9 @@
>  			if(!capable(CAP_SETUID)) {
>  				bprm->e_uid = current->uid;
>  				bprm->e_gid = current->gid;
> +				cap_clear (bprm->cap_inheritable);
> +				cap_clear (bprm->cap_permitted);
> +				cap_clear (bprm->cap_effective);
>  			}
>  		}
>  	}

This makes the bprm_compute_creds hook even less sane than now (i.e. it assumes 
that all LSMs will work like the current capability modules).  The hook should 
allow LSM to change this functionality without reintroducing the race.  For 
example, it breaks my work on fixing capabilities.

--Andy

> 
> Regards, Olaf.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/