From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751886AbdAYX7j (ORCPT ); Wed, 25 Jan 2017 18:59:39 -0500 Received: from wtarreau.pck.nerim.net ([62.212.114.60]:3385 "EHLO 1wt.eu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751207AbdAYX7h (ORCPT ); Wed, 25 Jan 2017 18:59:37 -0500 Date: Thu, 26 Jan 2017 00:59:24 +0100 From: Willy Tarreau To: Andy Lutomirski Cc: security@kernel.org, Konstantin Khlebnikov , Alexander Viro , Kees Cook , "linux-mm@kvack.org" , Andrew Morton , yalin wang , Linux Kernel Mailing List , Jan Kara , Linux FS Devel Subject: Re: [PATCH 0/2] setgid hardening Message-ID: <20170125235924.GC23701@1wt.eu> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.6.1 (2016-04-27) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Jan 25, 2017 at 01:06:50PM -0800, Andy Lutomirski wrote: > The kernel has some dangerous behavior involving the creation and > modification of setgid executables. These issues aren't kernel > security bugs per se, but they have been used to turn various > filesystem permission oddities into reliably privilege escalation > exploits. > > See http://www.halfdog.net/Security/2015/SetgidDirectoryPrivilegeEscalation/ > for a nice writeup. > > Let's fix them for real. BTW I like this. I vaguely remember having played with this when I was a student 2 decades ago on a system where /var/spool/mail was 3777 (yes, setgid+sticky) and the mail files were 660. You could deposit a shell there, then execute it with mail's permissions and access any mailbox. That was quite odd as a design choice. The impacts are often limited unless you find other ways to escalate but generally it's not really clean. Willy