| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 15 Aug 2007 16:46:28 +0400 (MSD)
From: Dan Yefimov <dan@...5.lightwave.net.ru>
To: Wojciech Purczynski <cliph@...c.pl>
Cc: bugtraq@...urityfocus.com
Subject: Re: COSEINC Linux Advisory #1: Linux Kernel Parent Process Death
Signal Vulnerability
On Tue, 14 Aug 2007, Wojciech Purczynski wrote:
>
> Small correction - I forgot to add setuid(0) ;)
>
> PARENT CHILD
> ----------------------------------------------------------------
> fork()
> prctl(PR_SET_PDEATHSIG)
> execve("/bin/setuid-binary")
> setuid(0)
> exit()'ed or killed
> child receives NO signal this time
>
>
> PARENT CHILD
> ----------------------------------------------------------------
> fork()
> prctl(PR_SET_PDEATHSIG)
> execve("/bin/setuid-binary")
> setuid(0)
> execve("/bin/setuid-binary")
> exit()'ed or killed
> privileged process receives the signal
>
This doesn't change anything in what I said previously. If the sender's EUID or
RUID equals to any of SUID or RUID of the victim or the sender process is root,
the sender can send any signal to the victim; if none of those conditions are
met, it obviously can't, no matter how and what signal it sends. For details
look at check_kill_permission() and group_send_sig_info() in kernel/signal.c
and reparent_thread() in kernel/exit.c in the kernel source tree (version
2.6.22).
--
Sincerely Your, Dan.
Powered by blists - more mailing lists