Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Sendmail 8.10.2, Linux 2.4.0 - capabilities
From: lionel.cons () CERN CH (Lionel Cons)
Date: Fri, 16 Jun 2000 11:48:59 +0200


Antonio Galea writes:
On Sat, 10 Jun 2000, xdr wrote:

asmlinkage int new_sys_capset(cap_user_header_t header,cap_user_data_t dataptr)
{
if(current->uid && !cap_raised(dataptr->inheritable, CAP_SETUID)) {
 printk(KERN_ALERT "Program attempting to possibly abuse CAP_SETUID bug: "
                   "UID: %d TASK: %.15s[%d].\n",
                   current->uid, current->comm, current->pid);
 return (RETURN_EPERM ? -EPERM : -EFAULT);
}
return orig_sys_capset(header, dataptr);
}

I've tested this code against smlnx (posted a few days ago by Wojciech
Purczynski): I got a suid shell and no logging was done.

On this subject, we wrote our own kernel module to block this
bug. It's far less permissive but maybe we're just too paranoid...

You can get it from
        http://home.cern.ch/cons/capcheck

________________________________________________________
Lionel Cons        http://home.cern.ch/~cons
CERN               http://www.cern.ch

Acheson's Rule of the Bureaucracy:
        A memorandum is written not to inform the reader but to protect writer.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault