Re: Bug in how capability inheritance is handled in "fs/exec.c", 2.3.99

From: Jesse Pollard (
Date: Thu Jun 01 2000 - 05:37:52 EST

On Thu, 01 Jun 2000, Pavel Machek wrote:
>> >> new PIE=(all,0,all) - which means any executed programs will default
>> >> to inheriting *no priviledges* from the suid program.
>> >> This is *DESIRABLE*. For privileges to be propagated,
>> >> The SUID program would have to explicitly set
>> >> its Inheritable set. This means the default is
>> >> to not propagate. This is a 'good' thing. Exec'ing
>> >> a shell out of a SUID program through a buffer
>> >> exploit will default to a capset of (0,0,0) in the
>> >> shell. Seems, at least, moderately useful...
>> >
>> >So what? I can not execute setuid shell, but I can freely do anything
>> >I could do with the shell. I'll add myself to
>> >~root/.ssh/authorized_keys instead of running root shell. This is
>> >called security by obscurity.
>> No. Its not obscurity - it is being well publicized and documented.
>In example above, I have all capabilities, but if I execute shell,
>I'll loose them. So what. I take over the system using my capability
>to talk to hardware (tell vga controller to modify kernel using DMA?)
>and all the security systems you build for me are gone.
>Of course, taking over system is slightly harder than
>execl("/bin/bash", ...), but is still doable. Maybe even doable in
>"portable" way.

Perhaps, if the stack is executable and you load a rather long function
to do the work. It would require multiple system calls to do that.

Personally, I'd like to have a capability that disables executable stack.

Jesse I Pollard, II

Any opinions expressed are solely my own.

- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to Please read the FAQ at

This archive was generated by hypermail 2b29 : Wed Jun 07 2000 - 21:00:12 EST