user bonehead does:
~bonehead:>mkdir sbin
~bonehead:>cp hack sbin/modprobe
~bonehead:>chroot ~bonehead (program that would cause a modprobe)
The above is fairly simple. Howe does the kernel handle this? Because
the kernel is affected by a chroot.
--Perry
>
> To Richard: the reason that I included the call
> to sigfillset(¤t->blocked) is because I was worried about
> the following fairly obscure security hack that might work if
> /sbin/modprobe is not present for some reason. I believe (and
> I am not sure) that after the attempt to execve fails and
> starts to return, the system call return code will check for
> a signal (maybe this is not done for system calls executed
> from within the kernel?). By setting up a user defined signal
> handler, which would be inherited through the create_thread() call,
> it would be possible to get that signal handler to execute as the
> superuser, since current->uid and current->euid were set to zero just
> prior to the execve.
>
> Adam J. Richter
-- Perry Harrington Linux rules all OSes. APSoft () email: perry@apsoft.com Think Blue. /\- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu