Re: [RFC/PATCH] revoke/frevoke system calls V2

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Dear diary, on Thu, Jul 27, 2006 at 04:25:07PM CEST, I got a letter
where Pekka J Enberg <[email protected]> said that...
> +	if (current->fsuid != inode->i_uid && !capable(CAP_FOWNER)) {
> +		err = -EPERM;
> +		goto out;
> +	}

Consider:

int main(int argc, char *argv[])
{
	int log = open(argv[1], O_WRONLY | O_APPEND);
	while (1) {
		struct { char *uname, *pwd; } *creds = get_credentials_from_user();
		int shadow = open("/etc/shadow", O_RDWR | O_APPEND);
		fprintf(log, "creds for %s lookup success: %d\n", uname, lookup_in_shadow(shadow, creds));
		do_whatever_strange(shadow);
		close(shadow);
	}
}

Make that setuid root or just create log file owned by you and make root
run it.  Should be innocent enough, right?

Well, except that you can revoke the log file before the shadow file is
opened, at which point open() probably reuses the fd and the program
conveniently logs to /etc/shadow.

You shouldn't let people do this to poor innocent processes running with
different uids.

-- 
				Petr "Pasky" Baudis
Stuff: http://pasky.or.cz/
Snow falling on Perl. White noise covering line noise.
Hides all the bugs too. -- J. Putnam
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Stuff]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]     [Linux Resources]
  Powered by Linux