Re: PATCH: signals security

Rik van Riel (
Wed, 20 May 1998 14:35:32 +0200 (MET DST)

On Wed, 20 May 1998, Pavel Machek wrote:

> > > + * 1998-05-19 Security fix: don't allow SIGKILL & friends just because
> > > + * you have same real uid. Pavel Machek
> >
> > Catastrophe. I can no longer kill processes I created that happened to be
> > setuid. Please _THINK_ what you are trying to achieve, and understand why
> Ok - what I'm trying to achieve is that user will no longer be able to
> kill suid X server with SIGKILL. Please take a look at code: you still

Let me summarize:
- you want to disallow SIGKILL to processes which do raw I/O
- so you check for the suid() bit.

This is obviously _not_ correct, since:
- raw I/O will be a capability CAP_RAW_IO
- root may have some raw-I/O programs that are _not_ suid,
since root is the only one who is allowed to use the program

You are probably better off using some of the code in
my Out-Of-Memory killer. It checks:
- whether the x86 I/O bitmap has been set up
- whether the process has raw I/O capability (CAP_RAW_IO)

Now we probably want to modify the ioperm() and iopl()
syscalls to set CAP_RAW_IO, so we can do an easy arch
independant check.
(the capability itself is in the allowed bitmap and
it should only be set in the current bitmap when it's
actually used)

| Linux: - LinuxHQ MM-patches page | Scouting webmaster |
| - kswapd ask-him & complain-to guy | Vries cubscout leader |
| | <> |

To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to