[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    The two bugs in Linux kernel: an interesting analogy
From:       Pavel Kankovsky <peak () argo ! troja ! mff ! cuni ! cz>
Date:       2001-10-26 14:34:12
[Download RAW message or body]

It seems there is an interesting analogy between the ptrace() bug
published Rafal Wojtczuk and a (much less dangerous) problem with disk
quotas published by Wojciech Purczynski. In both cases, a program running
with elevated privileges inherits something (a traced process, a file
descriptor), and in both cases, it exercises its privileges on that
thing (in the first case, a traced process is allowed to execute
a setuid/setgid program (*); in the second case, the file is allowed
to grow past its owner's disk quota).

Apparently, it is not a good idea to mix two styles of access checks:
immediate checks using current process' credentials and checks based
the possession of some sort of "capability" (i.e. a file descriptor)
that has been acquired in the past (perhaps using different credentials).

(*) Such a feature can be quite useful...assuming it is not implemented
in a way that introduces a big security hole.

--Pavel Kankovsky aka Peak  [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."

[prev in list] [next in list] [prev in thread] [next in thread]