Re: [PATCH, local root on 2.4, 2.6?] compute_creds race
From: Olaf Dietsche
Date: Sat Apr 10 2004 - 05:35:17 EST
Andy Lutomirski <luto@xxxxxxxxxxxxx> writes:
> The setuid program is now running with uid=euid=500 but full permitted
> capabilities. There are two (or three) ways to effectively get local
> root now:
>
> 1. IIRC, linux 2.4 doesn't check capabilities in ptrace, so A could
> just ptrace B again.
In linux 2.4.25 there is no LSM and thus no vulnerability.
linux-2.4.25/fs/exec.c:
lock_kernel();
if (must_not_trace_exec(current)
|| atomic_read(¤t->fs->count) > 1
|| atomic_read(¤t->files->count) > 1
|| atomic_read(¤t->sig->count) > 1) {
if(!capable(CAP_SETUID)) {
bprm->e_uid = current->uid;
bprm->e_gid = current->gid;
}
if(!capable(CAP_SETPCAP)) {
new_permitted = cap_intersect(new_permitted,
current->cap_permitted);
}
}
do_unlock = 1;
Regards, Olaf.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/