Bugtraq mailing list archives
linux kernel patch - suid procs exec'd with bad 0,1,2 fds
From: amsdenz () AAVID COM (Zachary Amsden)
Date: Tue, 4 Aug 1998 13:19:01 -0400
Patch for current linux kernels If a priviledged process is exec'd by a user who closes file descriptors on it, many poorly written programs do not notice and libc printf functions may have access to any files opened. This can be used to crash the system by corrupting memory or in some cases, compromise root. This doesn't attempt to fix the fds for such a process, that would be not quite right in a chrooted environment with no /dev/null, and creating fake dentries and inode is too much work for something that is not quite useful Instead, we just fall through the standard error checks and return EPERM This doesn't break pipelines or any other traditional UNIX functionality that I am aware of. Zachary Amsden amsden () andrew cmu edu begin 666 suidbadfd.txt M+2TM(&QI;G5X+V9S+V5X96,N8RYO;&0)1G)I($IU;" S,2 Q,3HS-CHT.2 Q M.3DX#0HK*RL@;&EN=7@O9G,O97AE8RYC"4UO;B!!=6<@(#,@,3$Z-3 Z,3(@ M,3DY. T*0$ @+38U-2PQ," K-C4U+#$W($! #0H@"0DO*B!792!C86XG="!S M=6ED+65X96-U=&4@:68@=V4G<F4@<VAA<FEN9R!P87)T<R!O9B!T:&4@97AE M8W5T86)L92 J+PT*( D)+RH@;W(@:68@=V4G<F4@8F5I;F<@=')A8V5D("AO M<B!I9B!S=6ED(&5X96-S(&%R92!N;W0@86QL;W=E9"D@(" @*B\-"B )"2\J M("AC=7)R96YT+3YM;2T^8V]U;G0@/B Q(&ES(&]K+"!A<R!W92=L;"!G970@ M82!N97<@;6T@86YY=V%Y*2 @("HO#0HK"0DO*B!!;'-O(&1O;B=T('-U:60M M97AE8R!P<F]C<R!W:71H(&)A9" P+#$L,B!F9',@9F]R('-E8W5R:71Y("U: M02 J+PT*( D):68@*$E37TY/4U5)1"AI;F]D92D-"B )"2 @("!\?" H8W5R M<F5N="T^9FQA9W,@)B!01E]05%)!0T5$*0T*( D)(" @('Q\("AC=7)R96YT M+3YF<RT^8V]U;G0@/B Q*0T*( D)(" @('Q\("AA=&]M:6-?<F5A9"@F8W5R M<F5N="T^<VEG+3YC;W5N="D@/B Q*0T**PD)(" @('Q\("%&1%])4U-%5"@P M+" F8W5R<F5N="T^9FEL97,M/F]P96Y?9F1S*0T**PD)(" @('Q\("%&1%]) M4U-%5"@Q+" F8W5R<F5N="T^9FEL97,M/F]P96Y?9F1S*0T**PD)(" @('Q\ M("%&1%])4U-%5"@R+" F8W5R<F5N="T^9FEL97,M/F]P96Y?9F1S*0T**PD) M(" @('Q\($9$7TE34T54*# L("9C=7)R96YT+3YF:6QE<RT^8VQO<V5?;VY? M97AE8RD-"BL)"2 @("!\?"!&1%])4U-%5"@Q+" F8W5R<F5N="T^9FEL97,M M/F-L;W-E7V]N7V5X96,I#0HK"0D@(" @?'P@1D1?25-3150H,BP@)F-U<G)E M;G0M/F9I;&5S+3YC;&]S95]O;E]E>&5C*0T*( D)(" @('Q\("AC=7)R96YT M+3YF:6QE<RT^8V]U;G0@/B Q*2D@>PT*(" )"0EI9B H:61?8VAA;F=E("8F M("%C87!A8FQE*$-!4%]31515240I*0T*(" )"0D)<F5T=7)N("U%4$5233L- !"@`` ` end
Current thread:
- Re: Object tag crashes Internet Explorer 4.0 Paul Leach (Aug 04)
- linux kernel patch - suid procs exec'd with bad 0,1,2 fds Zachary Amsden (Aug 04)
- Re: Object tag crashes Internet Explorer 4.0 Kragen (Aug 04)
- Re: Object tag crashes Internet Explorer 4.0 Pavel Kankovsky (Aug 05)
- Re: Object tag crashes Internet Explorer 4.0 David Damerell (Aug 06)
- Sendmail up to 8.9.1 - mail.local instroduces new class of bugs Michal Zalewski (Jul 09)
- Re: Sendmail up to 8.9.1 - mail.local instroduces new class of Jeremiah Rothschild (Aug 10)
- Re: Sendmail up to 8.9.1 - mail.local instroduces new class of Scott Stone (Aug 10)
- Network Associates Inc. Advisory (OpenBSD) Security Research Labs (Aug 10)
- Sendmail up to 8.9.1 - mail.local instroduces new class of bugs Michal Zalewski (Jul 09)
- Re: Object tag crashes Internet Explorer 4.0 Alan Cox (Aug 07)
- Description of the Eudora Security Hole Aleph One (Aug 07)
- resend Steve Bellovin (Aug 06)