7373783 2001-10-26 16:34 +0200  /25 rader/ Pavel Kankovsky <peak@argo.troja.mff.cuni.cz>
Sänt av: joel@lysator.liu.se
Importerad: 2001-10-27  00:55  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <19615>
Ärende: The two bugs in Linux kernel: an interesting analogy
------------------------------------------------------------
From: Pavel Kankovsky <peak@argo.troja.mff.cuni.cz>
To: bugtraq@securityfocus.com
Message-ID: <20011026154929.5A4A.0@argo.troja.mff.cuni.cz>

It seems there is an interesting analogy between the ptrace() bug
published Rafal Wojtczuk and a (much less dangerous) problem with
disk quotas published by Wojciech Purczynski. In both cases, a
program running with elevated privileges inherits something (a traced
process, a file descriptor), and in both cases, it exercises its
privileges on that thing (in the first case, a traced process is
allowed to execute a setuid/setgid program (*); in the second case,
the file is allowed to grow past its owner's disk quota).

Apparently, it is not a good idea to mix two styles of access checks:
immediate checks using current process' credentials and checks based
the possession of some sort of "capability" (i.e. a file descriptor)
that has been acquired in the past (perhaps using different
credentials).

(*) Such a feature can be quite useful...assuming it is not
implemented in a way that introduces a big security hole.

--Pavel Kankovsky aka Peak  [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."
(7373783) /Pavel Kankovsky <peak@argo.troja.mff.cuni.cz>/(Ombruten)