lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Thu, 27 Jul 2006 20:06:34 +0200
From:	Petr Baudis <pasky@...e.cz>
To:	Pekka J Enberg <penberg@...Helsinki.FI>
Cc:	linux-kernel@...r.kernel.org, linux-fsdevel@...r.kernel.org,
	akpm@...l.org, viro@...iv.linux.org.uk, alan@...rguk.ukuu.org.uk,
	tytso@....edu, tigran@...itas.com
Subject: Re: [RFC/PATCH] revoke/frevoke system calls V2

Dear diary, on Thu, Jul 27, 2006 at 04:25:07PM CEST, I got a letter
where Pekka J Enberg <penberg@...Helsinki.FI> said that...
> +	if (current->fsuid != inode->i_uid && !capable(CAP_FOWNER)) {
> +		err = -EPERM;
> +		goto out;
> +	}

Consider:

int main(int argc, char *argv[])
{
	int log = open(argv[1], O_WRONLY | O_APPEND);
	while (1) {
		struct { char *uname, *pwd; } *creds = get_credentials_from_user();
		int shadow = open("/etc/shadow", O_RDWR | O_APPEND);
		fprintf(log, "creds for %s lookup success: %d\n", uname, lookup_in_shadow(shadow, creds));
		do_whatever_strange(shadow);
		close(shadow);
	}
}

Make that setuid root or just create log file owned by you and make root
run it.  Should be innocent enough, right?

Well, except that you can revoke the log file before the shadow file is
opened, at which point open() probably reuses the fd and the program
conveniently logs to /etc/shadow.

You shouldn't let people do this to poor innocent processes running with
different uids.

-- 
				Petr "Pasky" Baudis
Stuff: http://pasky.or.cz/
Snow falling on Perl. White noise covering line noise.
Hides all the bugs too. -- J. Putnam
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ