Re: Bug in how capability inheritance is handled in "fs/exec.c", 2.3.99

From: Pavel Machek (
Date: Thu Jun 01 2000 - 03:06:00 EST


> >> new PIE=(all,0,all) - which means any executed programs will default
> >> to inheriting *no priviledges* from the suid program.
> >> This is *DESIRABLE*. For privileges to be propagated,
> >> The SUID program would have to explicitly set
> >> its Inheritable set. This means the default is
> >> to not propagate. This is a 'good' thing. Exec'ing
> >> a shell out of a SUID program through a buffer
> >> exploit will default to a capset of (0,0,0) in the
> >> shell. Seems, at least, moderately useful...
> >
> >So what? I can not execute setuid shell, but I can freely do anything
> >I could do with the shell. I'll add myself to
> >~root/.ssh/authorized_keys instead of running root shell. This is
> >called security by obscurity.
> No. Its not obscurity - it is being well publicized and documented.

In example above, I have all capabilities, but if I execute shell,
I'll loose them. So what. I take over the system using my capability
to talk to hardware (tell vga controller to modify kernel using DMA?)
and all the security systems you build for me are gone.

Of course, taking over system is slightly harder than
execl("/bin/bash", ...), but is still doable. Maybe even doable in
"portable" way.


The best software in life is free (not shareware)!		Pavel
GCM d? s-: !g p?:+ au- a--@ w+ v- C++@ UL+++ L++ N++ E++ W--- M- Y- R+

- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to Please read the FAQ at

This archive was generated by hypermail 2b29 : Wed Jun 07 2000 - 21:00:11 EST