Date:	Wed, 11 Oct 2006 14:58:33 -0400
From:	Serge Aleynikov <serge@...idt.net>
To:	linux-kernel@...r.kernel.org
CC:	Linus Torvalds <torvalds@...l.org>, Alan Cox <alan@...hat.com>
Subject: non-critical security bug fix

To Maintainers of the linux/security/commoncap.c:

Patch description:
==================
This bug-fix ensures that if a process with root access sets 
keep_capabilities flag, current capabilities get preserved when the 
process switches from root to another effective user.  It looks like 
this was intended from the way capabilities are documented, but the 
current->keep_capabilities flag is not being checked.

Regards,

Serge

----------------------------[ Begin patch ]---------------------------

--- linux/security/commoncap.c.orig  2005-10-29 16:00:58.656572231 -0400
+++ linux/security/commoncap.c       2005-10-29 16:04:45.093411424 -0400
@@ -217,6 +217,10 @@
   * Keeping uid 0 is not an option because uid 0 owns too many vital
   * files..
   * Thanks to Olaf Kirch and Peter Benie for spotting this.
+ *
+ * Serge Aleynikov <serge@...idt.net> IDT Corp, Oct 2005
+ * Control the case (old_euid==0 && current->euid!=0) via
+ * current->keep_capabilities as well.
   */
  static inline void cap_emulate_setxuid (int old_ruid, int old_euid,
  					int old_suid)
@@ -227,7 +231,8 @@
  		cap_clear (current->cap_permitted);
  		cap_clear (current->cap_effective);
  	}
-	if (old_euid == 0 && current->euid != 0) {
+	if (old_euid == 0 && current->euid != 0 &&
+           !current->keep_capabilities) {
  		cap_clear (current->cap_effective);
  	}
  	if (old_euid != 0 && current->euid == 0) {

----------------------------[ End patch ]---------------------------



----------------------------[ Begin test ]--------------------------
Change the EFFECTIVE_UID value, compile and run the following as root.
This test tries to set the capability cap_net_raw, then switch from root
to an effective user, and open a raw socket being not a root.

#include <sys/socket.h>
#include <sys/types.h>
#include <errno.h>
#include <stdio.h>
#include <string.h>
#include <linux/if_ether.h>
#include <netinet/in.h>
#include <unistd.h>
#include <sys/capability.h>
#include <sys/prctl.h>

#define EFFECTIVE_UID 501

int main()
{
	int s1, s2, rc;
	cap_t   caps;
	char    cmd [1024];

	if  (prctl (PR_SET_KEEPCAPS, 1, 0, 0, 0) < 0)
	    printf ("\nCould not SET_KEEPCAPS\n");
	printf ("Keeping the Capabilities: %d\n",
		prctl (PR_GET_KEEPCAPS, 0,0,0,0));

	printf ("\nReal UID=%d, Real GID=%d, Eff UID=%d, Eff GID=%d\n",
			getuid(), getgid(), geteuid(), getegid());

	caps =  cap_get_proc ();
	printf ("\nInitial Capabilities: %s\n",
		cap_to_text (caps, NULL));

	sprintf (cmd, "cap_setuid,cap_setgid,cap_net_raw=eip");
	printf  ("\nSetting the Capabilities %s\n",  cmd);
	rc   =  cap_set_proc (cap_from_text     (cmd));
	if (rc != 0)
	   printf ("Failed to set the Capabilities: %s\n",
		strerror(errno));

	caps =  cap_get_proc ();
	printf ("\nPrivileged Capabilities: %s\n",
		cap_to_text(caps, NULL));

	setegid (EFFECTIVE_UID);
	seteuid (EFFECTIVE_UID);

	printf ("\nReal UID=%d, Real GID=%d, Eff UID=%d, Eff GID=%d\n",
			getuid(), getgid(), geteuid(), getegid());

	caps =  cap_get_proc ();
	printf ("\nUnPrivileged Capabilities: %s\n",
		cap_to_text(caps, NULL));

	s1 = socket (PF_INET, SOCK_RAW, IPPROTO_RAW);
	if (s1 < 0)
		printf ("PF_INET error: %s\n", strerror (errno));

	s2 = socket (PF_PACKET, SOCK_RAW,  htonl(ETH_P_IP));
	if (s2 < 0)
		printf ("PF_INET error: %s\n", strerror (errno));

	return 0;
}
----------------------------[ End test ]----------------------------

Regards,

Serge

-- 
Serge Aleynikov
Routing R&D, IDT Telecom
Tel: +1 (973) 438-3436
Fax: +1 (973) 438-1464
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists