From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Date: Thu, 26 Jan 2017 00:59:24 +0100 From: Willy Tarreau To: Andy Lutomirski Cc: security@kernel.org, Konstantin Khlebnikov , Alexander Viro , Kees Cook , "linux-mm@kvack.org" , Andrew Morton , yalin wang , Linux Kernel Mailing List , Jan Kara , Linux FS Devel Subject: Re: [PATCH 0/2] setgid hardening Message-ID: <20170125235924.GC23701@1wt.eu> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Sender: owner-linux-mm@kvack.org List-ID: On Wed, Jan 25, 2017 at 01:06:50PM -0800, Andy Lutomirski wrote: > The kernel has some dangerous behavior involving the creation and > modification of setgid executables. These issues aren't kernel > security bugs per se, but they have been used to turn various > filesystem permission oddities into reliably privilege escalation > exploits. > > See http://www.halfdog.net/Security/2015/SetgidDirectoryPrivilegeEscalation/ > for a nice writeup. > > Let's fix them for real. BTW I like this. I vaguely remember having played with this when I was a student 2 decades ago on a system where /var/spool/mail was 3777 (yes, setgid+sticky) and the mail files were 660. You could deposit a shell there, then execute it with mail's permissions and access any mailbox. That was quite odd as a design choice. The impacts are often limited unless you find other ways to escalate but generally it's not really clean. Willy -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: email@kvack.org