| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <939d53060803191514i4f225043g961d4de932a209ce@mail.gmail.com> Date: Wed, 19 Mar 2008 23:14:21 +0100 From: "Benjamin Thery" <ben.thery@...il.com> To: "Andrew Morton" <akpm@...ux-foundation.org> Cc: tilman@...p.cc, linux-kernel@...r.kernel.org, netdev@...r.kernel.org, davem@...emloft.net, pekkas@...core.fi, yoshfuji@...ux-ipv6.org, dlezcano@...ibm.com, xemul@...nvz.org, "Rafael J. Wysocki" <rjw@...k.pl>, "Eric W. Biederman" <ebiederm@...ssion.com> Subject: Re: [2.6.25-rc5-mm1] regression: cannot run Postfix sendmail command as non-root On Wed, Mar 19, 2008 at 10:16 PM, Andrew Morton <akpm@...ux-foundation.org> wrote: > > On Wed, 19 Mar 2008 18:52:41 +0100 > "Benjamin Thery" <ben.thery@...il.com> wrote: > > > Tilman, > > > > I've finally managed to reproduce your problem with Postfix on one of > > my victims. > > > > Earlier, in the afternoon, I wrote a piece of code that triggered a > > similar behaviour, > > but I wasn't sure it was exactly the problem you found. So, I've > > rebuilt Postfix, added > > some traces and, voila, same issue as yours. > > (The version of Postfix originally installed on my machine seems to > > have IPv6 disabled) > > > > I bisected the problem to the commit "[NET]: Make /proc/net a symlink > > on /proc/self/net (v3)" > > > > Here is what happens: > > > > - Recently /proc/net has been moved to /proc/self/net, and > > /proc/self/net is a symlink > > on this directory. > > - Before that everybody could access /proc/net and read /proc/net/if_inet6: > > dr-xr-xr-x 6 root root 0 2008-03-05 15:23 /proc/net > > > > - Now, /proc/self/net has a more restrictive access mode and ony the > > owner of the > > process can enter the directory: > > dr-xr--r-- 5 toto toto 0 Mar 19 17:30 net > > > > This is not a problem in most of the cases, but it becomes annoying > > when a process > > decides to change its UID or GID. It may loose access to its own > > /proc/self/net entries. > > > > - What happens in the Postfix case is the 'sendmail' process executes the > > '/usr/sbin/postdrop' binary to enqueue the message, but unfortunately > > '/usr/bin/postdrop' has the setgid bit set: > > -rwxr-sr-x 1 root postdrop 479475 Mar 19 17:14 /usr/sbin/postdrop > > > > The process egid changes and this seems to be problematic to access > > /proc/self/net/if_inet6. :) > > > > I've attached a tiny test program that can be used to reproduce the problem > > without Postfix. > > - Either execute it as root and give it an unprivileged uid in argument > > ./test-proc_net_if_inet6 1001 > > > > - Or change its ownership and access mode to: -rwxr-sr-x root postdrop > > and execute it as a lambda user. > > chown root:postdrop test-proc_net_if_inet6; chmod 2755 test-proc_net_if_inet6 > > ./test-proc_net_if_inet6 > > > > I've found the cause but not the fix. :) > > (Adding Pavel in cc:) > > > > Thanks for that - most useful. > > Although this is advertised as a 2.6.25-rc5-mm1 problem, I assume the > regression is also in mainline? 2.6.25-rc6? Yes, it is in mainline. I reproduced it on 2.6.25-rc5. Benjamin -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists