Re: [PATCH, local root on 2.4, 2.6?] compute_creds race

From: Olaf Dietsche
Date: Sat Apr 10 2004 - 05:35:17 EST

Next message: Dub Spencer: "2.6.5 hangs when burning cdrom while watching tv"
Previous message: Benjamin Herrenschmidt: "Re: want to clarify powerpc assembly conventions in head.S andentry.S"
In reply to: Andy Lutomirski: "Re: [PATCH, local root on 2.4, 2.6?] compute_creds race"
Next in thread: Chris Wright: "Re: [PATCH, local root on 2.4, 2.6?] compute_creds race"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Andy Lutomirski <luto@xxxxxxxxxxxxx> writes:

> The setuid program is now running with uid=euid=500 but full permitted
> capabilities. There are two (or three) ways to effectively get local
> root now:
>
> 1. IIRC, linux 2.4 doesn't check capabilities in ptrace, so A could
> just ptrace B again.

In linux 2.4.25 there is no LSM and thus no vulnerability.

linux-2.4.25/fs/exec.c:
lock_kernel();
if (must_not_trace_exec(current)
|| atomic_read(&current->fs->count) > 1
|| atomic_read(&current->files->count) > 1
|| atomic_read(&current->sig->count) > 1) {
if(!capable(CAP_SETUID)) {
bprm->e_uid = current->uid;
bprm->e_gid = current->gid;
}
if(!capable(CAP_SETPCAP)) {
new_permitted = cap_intersect(new_permitted,
current->cap_permitted);
}
}
do_unlock = 1;

Regards, Olaf.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Dub Spencer: "2.6.5 hangs when burning cdrom while watching tv"
Previous message: Benjamin Herrenschmidt: "Re: want to clarify powerpc assembly conventions in head.S andentry.S"
In reply to: Andy Lutomirski: "Re: [PATCH, local root on 2.4, 2.6?] compute_creds race"
Next in thread: Chris Wright: "Re: [PATCH, local root on 2.4, 2.6?] compute_creds race"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]