On Wed, 2017-01-25 at 13:06 -0800, Andy Lutomirski wrote: > If an unprivileged program opens a setgid file for write and passes > the fd to a privileged program and the privileged program writes to > it, we currently fail to clear the setgid bit. Fix it by checking > f_cred instead of current's creds whenever a struct file is > involved. [...] What if, instead, a privileged program passes the fd to an un unprivileged program? It sounds like a bad idea to start with, but at least currently the unprivileged program is going to clear the setgid bit when it writes. This change would make that behaviour more dangerous. Perhaps there should be a capability check on both the current credentials and file credentials? (I realise that we've considered file credential checks to be sufficient elsewhere, but those cases involved virtual files with special semantics, where it's clearer that a privileged process should not pass them to an unprivileged process.) Ben. -- Ben Hutchings It is easier to write an incorrect program than to understand a correct one.
Attachment:
signature.asc
Description: This is a digitally signed message part
