On Wed, Jan 25, 2017 at 01:06:50PM -0800, Andy Lutomirski wrote: > The kernel has some dangerous behavior involving the creation and > modification of setgid executables. These issues aren't kernel > security bugs per se, but they have been used to turn various > filesystem permission oddities into reliably privilege escalation > exploits. > > See http://www.halfdog.net/Security/2015/SetgidDirectoryPrivilegeEscalation/ > for a nice writeup. > > Let's fix them for real. BTW I like this. I vaguely remember having played with this when I was a student 2 decades ago on a system where /var/spool/mail was 3777 (yes, setgid+sticky) and the mail files were 660. You could deposit a shell there, then execute it with mail's permissions and access any mailbox. That was quite odd as a design choice. The impacts are often limited unless you find other ways to escalate but generally it's not really clean. Willy -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
