From: Willy Tarreau <w@1wt.eu>
To: Andy Lutomirski <luto@kernel.org>
Cc: security@kernel.org, Konstantin Khlebnikov <koct9i@gmail.com>,
Alexander Viro <viro@zeniv.linux.org.uk>,
Kees Cook <keescook@chromium.org>,
"linux-mm@kvack.org" <linux-mm@kvack.org>,
Andrew Morton <akpm@linux-foundation.org>,
yalin wang <yalin.wang2010@gmail.com>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
Jan Kara <jack@suse.cz>,
Linux FS Devel <linux-fsdevel@vger.kernel.org>
Subject: Re: [PATCH 0/2] setgid hardening
Date: Thu, 26 Jan 2017 00:59:24 +0100 [thread overview]
Message-ID: <20170125235924.GC23701@1wt.eu> (raw)
In-Reply-To: <cover.1485377903.git.luto@kernel.org>
On Wed, Jan 25, 2017 at 01:06:50PM -0800, Andy Lutomirski wrote:
> The kernel has some dangerous behavior involving the creation and
> modification of setgid executables. These issues aren't kernel
> security bugs per se, but they have been used to turn various
> filesystem permission oddities into reliably privilege escalation
> exploits.
>
> See http://www.halfdog.net/Security/2015/SetgidDirectoryPrivilegeEscalation/
> for a nice writeup.
>
> Let's fix them for real.
BTW I like this. I vaguely remember having played with this when I
was a student 2 decades ago on a system where /var/spool/mail was
3777 (yes, setgid+sticky) and the mail files were 660. You could
deposit a shell there, then execute it with mail's permissions and
access any mailbox. That was quite odd as a design choice. The
impacts are often limited unless you find other ways to escalate
but generally it's not really clean.
Willy
prev parent reply other threads:[~2017-01-25 23:59 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-01-25 21:06 [PATCH 0/2] setgid hardening Andy Lutomirski
2017-01-25 21:06 ` [PATCH 1/2] fs: Check f_cred instead of current's creds in should_remove_suid() Andy Lutomirski
2017-01-25 21:43 ` Ben Hutchings
2017-01-25 21:48 ` Andy Lutomirski
2017-01-25 23:15 ` Frank Filz
2017-01-26 0:12 ` Kees Cook
2017-01-25 21:06 ` [PATCH 2/2] fs: Harden against open(..., O_CREAT, 02777) in a setgid directory Andy Lutomirski
2017-01-25 21:31 ` Ben Hutchings
2017-01-25 21:44 ` Andy Lutomirski
2017-01-25 23:17 ` Frank Filz
2017-01-25 23:50 ` Willy Tarreau
2017-01-25 23:59 ` Willy Tarreau [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170125235924.GC23701@1wt.eu \
--to=w@1wt.eu \
--cc=akpm@linux-foundation.org \
--cc=jack@suse.cz \
--cc=keescook@chromium.org \
--cc=koct9i@gmail.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=luto@kernel.org \
--cc=security@kernel.org \
--cc=viro@zeniv.linux.org.uk \
--cc=yalin.wang2010@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).