Re: Local root exploit with kmod and modutils > 2.1.121

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Keith Owens <kaos@ocs.com.au>
To: Alan Cox <alan@lxorguk.ukuu.org.uk>
Cc: linux-kernel@vger.kernel.org
Subject: Re: Local root exploit with kmod and modutils > 2.1.121
Date: Fri, 17 Nov 2000 07:24:36 +1100	[thread overview]
Message-ID: <4328.974406276@ocs3.ocs-net> (raw)
In-Reply-To: Your message of "Thu, 16 Nov 2000 16:04:23 -0000." <E13wRWU-0007yG-00@the-village.bc.nu>

On Thu, 16 Nov 2000 16:04:23 +0000 (GMT), 
Alan Cox <alan@lxorguk.ukuu.org.uk> wrote:
>> request_module has the same effect as running suid.  dev_load() can
>> take the interface name and pass it to modprobe unchanged and modprobe
>> does not verify its input, it trusts root/kernel.
>
>Then dev_load is being called the wrong way. In older kernels we explicitly
>only did a dev_load with user passed names providing suser() was true.

ping6 -I module_name.  ping6 is setuid, it passes the interface name to
the kernel while it holds root privileges, suser() == true.  It is
not reasonable to expect setuid programs to know that Linux does
something special with some parameters when no other O/S has that
"feature".

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/

next prev parent reply	other threads:[~2000-11-16 20:55 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <Pine.LNX.4.21.0011131915240.19775-100000@ferret.lmh.ox.ac.uk>
2000-11-13 23:11 ` Local root exploit with kmod and modutils > 2.1.121 Keith Owens
2000-11-16 16:04   ` Alan Cox
2000-11-16 17:05     ` kuznet
2000-11-16 17:19       ` Alan Cox
2000-11-16 17:32         ` kuznet
2000-11-16 18:24           ` Alan Cox
2000-11-16 18:56             ` kuznet
2000-11-16 19:08               ` [PATCH] " Xavier Bestel
2000-11-16 20:24     ` Keith Owens [this message]
2000-11-16 21:45       ` Alan Cox
2000-11-14 20:31 Adam J. Richter
2000-11-14 22:50 ` Keith Owens
  -- strict thread matches above, loose matches on Subject: below --
2000-11-13 10:57 Keith Owens

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4328.974406276@ocs3.ocs-net \
    --to=kaos@ocs.com.au \
    --cc=alan@lxorguk.ukuu.org.uk \
    --cc=linux-kernel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.