Alan Cox wrote:
> o i386 security hole fix for ptrace. Its in the other architectures
> too. It only bites if you use capabilities. The bigger hole in
> /proc is fixed in 2.2.3
As a general rule in the capability based system the superuser should
not have special [read] access to sensitive things simply because of its
[e]uid being 0. The /proc/ filesystem makes this hard to enforce because
files like /proc/kcore are readable by uid=0.
Here is a patch to make it possible for the admin to mount /proc/ (plus
all of its sub directories and special files) with uid.gid other than
0.0. It simply propagates the already supported uid= and gid= mount
options for the top level /proc directory to the non-process-specific
files within the proc filesystem.
Cheers
Andrew
--------------115528CBC47C6C1CCCE29DEE
Content-Type: text/plain; charset=us-ascii; name="uid-proc.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline; filename="uid-proc.patch"
diff -urN linux-2.2.1/fs/proc/inode.c linux-caps/fs/proc/inode.c
--- linux-2.2.1/fs/proc/inode.c Fri May 8 18:10:30 1998
+++ linux-caps/fs/proc/inode.c Sun Jan 31 00:02:05 1999
@@ -267,10 +267,19 @@
inode->u.generic_ip = (void *) de;
if (de) {
- if (de->mode) {
+ if (de->mode) { /* why conditional on non-zero mode? */
+ struct inode *sbi;
+
inode->i_mode = de->mode;
- inode->i_uid = de->uid;
- inode->i_gid = de->gid;
+
+ if ((ino != PROC_ROOT_INO)
+ && (sbi = sb->s_root->d_inode)) {
+ inode->i_uid = sbi->i_uid;
+ inode->i_gid = sbi->i_gid;
+ } else {
+ inode->i_uid = de->uid;
+ inode->i_gid = de->gid;
+ }
}
if (de->size)
inode->i_size = de->size;
--------------115528CBC47C6C1CCCE29DEE--
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/