[15375] in bugtraq
Re: Sendmail 8.10.2, Linux 2.4.0 - capabilities
daemon@ATHENA.MIT.EDU (Lionel Cons)
Fri Jun 16 14:36:48 2000
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <20000616114523.0@c699100c9b5badcc26efde58cf40aac9>
Date: Fri, 16 Jun 2000 11:48:59 +0200
Reply-To: Lionel Cons <lionel.cons@CERN.CH>
From: Lionel Cons <lionel.cons@CERN.CH>
X-To: ant9000@NETWISE.IT
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.4.04.10006151556130.836-100000@chomp.uff.netwise.it>
Antonio Galea writes:
> On Sat, 10 Jun 2000, xdr wrote:
>
> >asmlinkage int new_sys_capset(cap_user_header_t header,cap_user_data_t dataptr)
> >{
> > if(current->uid && !cap_raised(dataptr->inheritable, CAP_SETUID)) {
> > printk(KERN_ALERT "Program attempting to possibly abuse CAP_SETUID bug: "
> > "UID: %d TASK: %.15s[%d].\n",
> > current->uid, current->comm, current->pid);
> > return (RETURN_EPERM ? -EPERM : -EFAULT);
> > }
> > return orig_sys_capset(header, dataptr);
> >}
>
> I've tested this code against smlnx (posted a few days ago by Wojciech
> Purczynski): I got a suid shell and no logging was done.
On this subject, we wrote our own kernel module to block this
bug. It's far less permissive but maybe we're just too paranoid...
You can get it from
http://home.cern.ch/cons/capcheck
________________________________________________________
Lionel Cons http://home.cern.ch/~cons
CERN http://www.cern.ch
Acheson's Rule of the Bureaucracy:
A memorandum is written not to inform the reader but to protect writer.
