[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: The two bugs in Linux kernel: an interesting analogy
From: Pavel Kankovsky <peak () argo ! troja ! mff ! cuni ! cz>
Date: 2001-10-26 14:34:12
[Download RAW message or body]
It seems there is an interesting analogy between the ptrace() bug
published Rafal Wojtczuk and a (much less dangerous) problem with disk
quotas published by Wojciech Purczynski. In both cases, a program running
with elevated privileges inherits something (a traced process, a file
descriptor), and in both cases, it exercises its privileges on that
thing (in the first case, a traced process is allowed to execute
a setuid/setgid program (*); in the second case, the file is allowed
to grow past its owner's disk quota).
Apparently, it is not a good idea to mix two styles of access checks:
immediate checks using current process' credentials and checks based
the possession of some sort of "capability" (i.e. a file descriptor)
that has been acquired in the past (perhaps using different credentials).
(*) Such a feature can be quite useful...assuming it is not implemented
in a way that introduces a big security hole.
--Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic