Re: insmod/modprobe behaviour in regards to non-root-owned modules

[Keith Owens <kaos () ocs com au>]

On Tue, 17 Jul 2001 15:18:31 +0930 (CST), 
Toby Corkindale <tjcorkin () sa pracom com au> wrote:
> According to the manual page for insmod, insmod should refuse
> to install a non-root-owned module, since otherwise exploits relating to
> compromised user accounts who own modules, or else a compromised
> modules.dep, are available.
>
> I would assume modprobe should follow this behaviour.
> However, see the below transcript for an example of modprobe differing.
>
> The insmod correctly denies to load the module, but modprobe happily
> installs it! (Note that modprobe is actually just a symlink to insmod,
> which checks the argv[0] to determine mode to run)

It loads because modprobe is trusting the data in modules.dep.  You can
only get into this situation by one of two actions:

  (1) root ran depmod with -r to allow modules not owned by root
  (2) the module was originally owned by root but root changed the
      owner or installed a new version, in either case they have not
      run depmod after the change.

modules.dep is a trusted file.  root builds it by hand or via a startup
script.  If root changes the modules without refreshing modules.dep
then you have GIGO.

AFAICT you need root to do this, to update files and/or permissions in
/lib/modules.  If you can reproduce the problem without requiring root
privileges at some stage and without using depmod -r then it is a bug.
Otherwise "root can destroy a system", this is not news.