Re: quotactl hook

From: Chris Wright (chrisat_private)
Date: Wed Sep 12 2001 - 10:37:46 PDT

  • Next message: Chris Vance: "[PATCH] security.h updates"

    * richard offer (offerat_private) wrote:
    > 
    > 
    > * frm gregat_private "09/11/01 13:14:04 -0700" | sed '1,$s/^/* /'
    > *
    > * On Tue, Sep 11, 2001 at 09:38:05AM -0700, richard offer wrote:
    > *> 
    > *> How does this work ? It back-tracks from Stephens separation of function
    > *> from access control, but it implements an identical code path to pre-LSM.
    > * 
    > * I don't know, how does this work?
    > * Have you tried it out against the different ptrace sploits out there?
    > 
    > The only exploit I could find for 2.4 was fixed by Alan Cox in 2.4.1-ac19,
    > so the code as I posted this morning works as expected. ie PTRACE_ATTACH:
    > operation not permitted.
    > 
    > If you've got any other exploits that you think should be tested, if you
    > can send me a pointer to the code I'll try them out.
    
    i have some exploits i'll send you.  iirc, the main race was with the
    duampable flag.  older 2.2.<19 and early 2.4 kernels had a race where the
    exec on a suid executable didn't turn off the dumpable flag soon enough.
    so all you have to do is execute a simple program the does an execve()
    of a program that is suid and not in cache.  the race is on...
    
    -chris
    
    _______________________________________________
    linux-security-module mailing list
    linux-security-moduleat_private
    http://mail.wirex.com/mailman/listinfo/linux-security-module
    



    This archive was generated by hypermail 2b30 : Wed Sep 12 2001 - 10:46:41 PDT