Date: Fri, 26 Oct 2001 16:34:12 +0200 (MET DST)
From: Pavel Kankovsky <peak@argo.troja.mff.cuni.cz>
To: bugtraq@securityfocus.com
Subject: The two bugs in Linux kernel: an interesting analogy
It seems there is an interesting analogy between the ptrace() bug
published Rafal Wojtczuk and a (much less dangerous) problem with disk
quotas published by Wojciech Purczynski. In both cases, a program running
with elevated privileges inherits something (a traced process, a file
descriptor), and in both cases, it exercises its privileges on that
thing (in the first case, a traced process is allowed to execute
a setuid/setgid program (*); in the second case, the file is allowed
to grow past its owner's disk quota).
Apparently, it is not a good idea to mix two styles of access checks:
immediate checks using current process' credentials and checks based
the possession of some sort of "capability" (i.e. a file descriptor)
that has been acquired in the past (perhaps using different credentials).
(*) Such a feature can be quite useful...assuming it is not implemented
in a way that introduces a big security hole.
--Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."
