Why can setuid programs regain root after dropping it when using capabilities?
From: David Chau (ddcc_at_mit.edu)
Date: 11/30/05
- Previous message: Paul Walmsley: "[PATCH] usb-storage: add debug entry for REPORT LUNS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Tue, 29 Nov 2005 21:35:45 -0500 To: linux-kernel@vger.kernel.org
Hi,
While debugging some code, I found that a setuid program could regain
root after dropping root if the program used capabilities. (I tested
this on 2.6.14 and 2.6.9.) Is this the expected behavior? Here's a
short test case:
/* chown root this program, suid it, and run it as non-root */
#include <sys/types.h>
#include <sys/capability.h>
#include <unistd.h>
#include <stdio.h>
int main() {
cap_set_proc(cap_from_text("all-eip")); /* drop all caps */
setuid(getuid()); /* drop root. this call succeeds */
setuid(0); /* this should fail! but doesn't */
printf("%d\n", geteuid()); /* we regained root. prints 0 */
return 0;
}
(If we don't use capabilities at all, and take out the cap_set_proc
line, then the program behaves as expected, and doesn't allow us to
regain root.)
--David
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
- Previous message: Paul Walmsley: "[PATCH] usb-storage: add debug entry for REPORT LUNS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
- Another 2.6.13-ck3 locks machine after some time, 2.6.12.5 work fine
... 0000:00:00.3 Host bridge: VIA Technologies, ... Capabilities: <available
only to root> ... I/O ports at b000 ... (Linux-Kernel) - Re: patch to make Linux capabilities into something useful (v 0.3.1)
... used root, cd'ing to a colleagues source tree, su'ing to root, and who ... root
privileges imply the ability to override filesystem discretionary ... Posix capabilities
design.... ... But that means libc would need to know which bit positions were ...
(Linux-Kernel) - [CODE RFC] redefining sched_setscheduler using LD_PRELOAD
... Do also try (don't try this as root unless rt_monitor is running) ... code that
checks uid before using the redefined functions won't work ... (I have an modified latencytest)
... send the line "unsubscribe linux-kernel" in ... (Linux-Kernel) - Re: [PATCH]
... the polymonials used are not even primitive, the ability for root to wipe-out ...
the random pool, the ability for root to access the random seed directly, the ... all of
these, uses crypto-api, uses known crypto primitives, is simpler to ... send the line "unsubscribe
linux-kernel" in ... (Linux-Kernel) - Re: [PATCH] [3/48] Suspend2 2.1.9.8 for 2.6.12: 301-proc-acpi-sleep-activate-hook.patch
... When the user has an initrd or initramfs, ... image, encryption keys and so
on have been set up, but the root fs has ... probably will result in hard disk corruption
if they echo to do_resume ... send the line "unsubscribe linux-kernel" in ... (Linux-Kernel)
