Hi!
On the webpage, you wrote
* Second, I argue that an attacker (non-root, obviously) cannot take
advantage of the patch. (...) One might argue, however, that the patch makes suid
non-root programs vulnerable, as they could be executed with less
(regular) capabilities than they expect; however, this is not believed
to be a serious problem, because (a) such programs are much rarer than
suid root programs, (b) damage, if any, would be less limited (no
special capabilities are at stake, only access to the filesystem), (c)
removing regular capabilities makes system calls fail with a clean
error code (nothing exotic like the setuid() function which exhibits a
very subtle difference in behavior according as the CAP_SETUID
capability is set or not, which made the sendmail exploit possible),
and (d) system calls can always fail, so adding new causes for failure
is not introducing anything significantly different.
You contradict yourself. Yes, you are decreasing security of suid
non-root programs, and yes, someone will take advantage of that. Plus,
you can easily do away without this risk.
Just add all "usual" capabilities when execing
suid/sgid-anything. Alternatively disallow suid/sgid-anything exec
when all "usual" capabilities are not present.
(And btw I really like your idea of introducing "usual" capabilities
like CAP_REG_FORK/CAP_REG_OPEN/...).
Pavel
--
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[Index of Archives]
[Kernel Newbies]
[Netfilter]
[Bugtraq]
[Photo]
[Stuff]
[Gimp]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Video 4 Linux]
[Linux for the blind]
[Linux Resources]