[grsec] gr_handle_chroot_chmod() permissions
Thomas Jarosch
thomas.jarosch at intra2net.com
Fri Aug 19 09:49:17 EDT 2005
Hello,
the gr_handle_chroot_chmod() code does a permission check like this
and denies the request if true:
(mode & S_ISUID) || ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP))
IMHO it's still possible to have a file which sets S_ISGID and S_IXOTH.
What about making the code more restrictive like this:
mode & (S_ISUID | S_ISGID) && mode & (S_IXUSR | S_IXGRP | S_IXOTH)
Or is it desired to have a file with S_ISGID and S_IXUSR set in a chroot?
I've created the attached patch while tracking down a bug
in F-Secure's fsav for linux pattern database update tool.
(It creates a lockfile with random permissions,
sometimes results in S_ISUID set).
Best regards,
Thomas Jarosch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: grsecurity-chroot-chmod.patch
Type: text/x-diff
Size: 628 bytes
Desc: not available
Url : http://grsecurity.net/pipermail/grsecurity/attachments/20050819/8eb1a604/grsecurity-chroot-chmod.bin
More information about the grsecurity
mailing list