linux kernel patch - suid procs exec'd with bad 0,1,2 fds

From: Zachary Amsden (amsdenzat_private)
Date: Tue Aug 04 1998 - 10:19:01 PDT

Next message: Illuminatus Primus: "Re: Object tag and stack overflow on IE 4.0"

Previous message: Kragen: "Re: Object tag crashes Internet Explorer 4.0"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Patch for current linux kernels

If a priviledged process is exec'd by a user who closes
file descriptors on it, many poorly written programs do
not notice and libc printf functions may have access to
any files opened.  This can be used to crash the system
by corrupting memory or in some cases, compromise root.

This doesn't attempt to fix the fds for such a process,
that would be not quite right in a chrooted environment
with no /dev/null, and creating fake dentries and inode
is too much work for something that is not quite useful

Instead, we just fall through the standard error checks
and return EPERM


This doesn't break pipelines or any other traditional
UNIX functionality that I am aware of.

Zachary Amsden
amsdenat_private



begin 666 suidbadfd.txt
M+2TM(&QI;G5X+V9S+V5X96,N8RYO;&0)1G)I($IU;" S,2 Q,3HS-CHT.2 Q
M.3DX#0HK*RL@;&EN=7@O9G,O97AE8RYC"4UO;B!!=6<@(#,@,3$Z-3 Z,3(@
M,3DY. T*0$ @+38U-2PQ," K-C4U+#$W($! #0H@"0DO*B!792!C86XG="!S
M=6ED+65X96-U=&4@:68@=V4G<F4@<VAA<FEN9R!P87)T<R!O9B!T:&4@97AE
M8W5T86)L92 J+PT*( D)+RH@;W(@:68@=V4G<F4@8F5I;F<@=')A8V5D("AO
M<B!I9B!S=6ED(&5X96-S(&%R92!N;W0@86QL;W=E9"D@(" @*B\-"B )"2\J
M("AC=7)R96YT+3YM;2T^8V]U;G0@/B Q(&ES(&]K+"!A<R!W92=L;"!G970@
M82!N97<@;6T@86YY=V%Y*2 @("HO#0HK"0DO*B!!;'-O(&1O;B=T('-U:60M
M97AE8R!P<F]C<R!W:71H(&)A9" P+#$L,B!F9',@9F]R('-E8W5R:71Y("U:
M02 J+PT*( D):68@*$E37TY/4U5)1"AI;F]D92D-"B )"2 @("!\?" H8W5R
M<F5N="T^9FQA9W,@)B!01E]05%)!0T5$*0T*( D)(" @('Q\("AC=7)R96YT
M+3YF<RT^8V]U;G0@/B Q*0T*( D)(" @('Q\("AA=&]M:6-?<F5A9"@F8W5R
M<F5N="T^<VEG+3YC;W5N="D@/B Q*0T**PD)(" @('Q\("%&1%])4U-%5"@P
M+" F8W5R<F5N="T^9FEL97,M/F]P96Y?9F1S*0T**PD)(" @('Q\("%&1%])
M4U-%5"@Q+" F8W5R<F5N="T^9FEL97,M/F]P96Y?9F1S*0T**PD)(" @('Q\
M("%&1%])4U-%5"@R+" F8W5R<F5N="T^9FEL97,M/F]P96Y?9F1S*0T**PD)
M(" @('Q\($9$7TE34T54*# L("9C=7)R96YT+3YF:6QE<RT^8VQO<V5?;VY?
M97AE8RD-"BL)"2 @("!\?"!&1%])4U-%5"@Q+" F8W5R<F5N="T^9FEL97,M
M/F-L;W-E7V]N7V5X96,I#0HK"0D@(" @?'P@1D1?25-3150H,BP@)F-U<G)E
M;G0M/F9I;&5S+3YC;&]S95]O;E]E>&5C*0T*( D)(" @('Q\("AC=7)R96YT
M+3YF:6QE<RT^8V]U;G0@/B Q*2D@>PT*(" )"0EI9B H:61?8VAA;F=E("8F
M("%C87!A8FQE*$-!4%]31515240I*0T*(" )"0D)<F5T=7)N("U%4$5233L-
!"@``
`
end

Next message: Illuminatus Primus: "Re: Object tag and stack overflow on IE 4.0"
Previous message: Kragen: "Re: Object tag crashes Internet Explorer 4.0"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:11:16 PDT