Bugtraq: Re: Sendmail 8.10.2, Linux 2.4.0 - capabilities

[lionel.cons () CERN CH (Lionel Cons)]

Antonio Galea writes:
> On Sat, 10 Jun 2000, xdr wrote:
>
> > asmlinkage int new_sys_capset(cap_user_header_t header,cap_user_data_t dataptr)
> > {
> > if(current->uid && !cap_raised(dataptr->inheritable, CAP_SETUID)) {
> >  printk(KERN_ALERT "Program attempting to possibly abuse CAP_SETUID bug: "
> >                    "UID: %d TASK: %.15s[%d].\n",
> >                    current->uid, current->comm, current->pid);
> >  return (RETURN_EPERM ? -EPERM : -EFAULT);
> > }
> > return orig_sys_capset(header, dataptr);
> > }
> I've tested this code against smlnx (posted a few days ago by Wojciech
> Purczynski): I got a suid shell and no logging was done.
On this subject, we wrote our own kernel module to block this
bug. It's far less permissive but maybe we're just too paranoid...

You can get it from
        http://home.cern.ch/cons/capcheck

________________________________________________________
Lionel Cons        http://home.cern.ch/~cons
CERN               http://www.cern.ch

Acheson's Rule of the Bureaucracy:
        A memorandum is written not to inform the reader but to protect writer.