[PATCH 0/2] setgid hardening

From: Andy Lutomirski
Date: Wed Jan 25 2017 - 16:07:08 EST


The kernel has some dangerous behavior involving the creation and
modification of setgid executables. These issues aren't kernel
security bugs per se, but they have been used to turn various
filesystem permission oddities into reliably privilege escalation
exploits.

See http://www.halfdog.net/Security/2015/SetgidDirectoryPrivilegeEscalation/
for a nice writeup.

Let's fix them for real.

Andy Lutomirski (2):
fs: Check f_cred instead of current's creds in should_remove_suid()
fs: Harden against open(..., O_CREAT, 02777) in a setgid directory

fs/inode.c | 37 ++++++++++++++++++++++++++++++-------
fs/internal.h | 2 +-
fs/ocfs2/file.c | 4 ++--
fs/open.c | 2 +-
include/linux/fs.h | 2 +-
5 files changed, 35 insertions(+), 12 deletions(-)

--
2.9.3