Why can setuid programs regain root after dropping it when using capabilities?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

While debugging some code, I found that a setuid program could regain
root after dropping root if the program used capabilities. (I tested
this on 2.6.14 and 2.6.9.) Is this the expected behavior? Here's a
short test case:

/* chown root this program, suid it, and run it as non-root */
#include <sys/types.h>
#include <sys/capability.h>
#include <unistd.h>
#include <stdio.h>
int main() {
   cap_set_proc(cap_from_text("all-eip")); /* drop all caps */
   setuid(getuid());                       /* drop root. this call succeeds */
   setuid(0);                              /* this should fail! but doesn't */
   printf("%d\n", geteuid());              /* we regained root. prints 0 */
   return 0;
}

(If we don't use capabilities at all, and take out the cap_set_proc
line, then the program behaves as expected, and doesn't allow us to
regain root.)

--David
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Stuff]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]     [Linux Resources]
  Powered by Linux