Re: [RFC/PATCH] revoke/frevoke system calls V2
From: Petr Baudis
Date: Thu Jul 27 2006 - 14:04:33 EST
Dear diary, on Thu, Jul 27, 2006 at 04:25:07PM CEST, I got a letter
where Pekka J Enberg <penberg@xxxxxxxxxxxxxx> said that...
> + if (current->fsuid != inode->i_uid && !capable(CAP_FOWNER)) {
> + err = -EPERM;
> + goto out;
> + }
Consider:
int main(int argc, char *argv[])
{
int log = open(argv[1], O_WRONLY | O_APPEND);
while (1) {
struct { char *uname, *pwd; } *creds = get_credentials_from_user();
int shadow = open("/etc/shadow", O_RDWR | O_APPEND);
fprintf(log, "creds for %s lookup success: %d\n", uname, lookup_in_shadow(shadow, creds));
do_whatever_strange(shadow);
close(shadow);
}
}
Make that setuid root or just create log file owned by you and make root
run it. Should be innocent enough, right?
Well, except that you can revoke the log file before the shadow file is
opened, at which point open() probably reuses the fd and the program
conveniently logs to /etc/shadow.
You shouldn't let people do this to poor innocent processes running with
different uids.
--
Petr "Pasky" Baudis
Stuff: http://pasky.or.cz/
Snow falling on Perl. White noise covering line noise.
Hides all the bugs too. -- J. Putnam
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/