Hello,
I've found bug in *permission() functions that checks CAP_DAC_READ_SEARCH
capability to access a directory. Those functions uses local variable
named 'mode' which initialized on startup to inode->i_mode but later in
the code its value may be shifted by 3 or 6 bits. Then it is used to check
if current inode is a directory with S_ISDIR(mode) macro. This is invalid
and should be S_ISDIR(inode->i_node).
If process has CAP_DAC_OVERRIDE cleared and CAP_DAC_READ_SEARCH raised
it may cause security problems.
Problem exists in kernels up to 2.2.17pre10 (and probably 2.4.0).
I attached patch against 2.2.16 kernel but I haven't tested it.
Greets,
-wp
PS: Please include me in CC as I'm not subscribed to the list.
+--------------------------------------------------------------------+
| Wojciech Purczynski wp@elzabsoft.pl http://www.elzabsoft.pl/~wp |
| GSM: +48604432981 Linux Administrator SMS: wp-sms@elzabsoft.pl |
+------ Public GnuPG Key: http://www.elzabsoft.pl/~wp/gpg.asc ------+
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Sat Jul 15 2000 - 21:00:16 EST