[grsec] gr_handle_chroot_chmod() permissions

Thomas Jarosch thomas.jarosch at intra2net.com
Mon Aug 22 03:49:45 EDT 2005


On Saturday 20 August 2005 21:17, Brad Spengler wrote:
> > the gr_handle_chroot_chmod() code does a permission check like this
> > and denies the request if true:
> >
> > (mode & S_ISUID) || ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP))
> >
> > IMHO it's still possible to have a file which sets S_ISGID and S_IXOTH.
>
> It is, but in the case of S_ISGID & ~S_IXGRP, it's a mandatory lock.  So a
> file with S_ISGID & S_IXOTH poses no security risk, because it doesn't work
> like a sgid binary, which is what we're trying to prevent with this
> feature.

Ok. Thanks for clearing this up.

Best regards,
Thomas Jarosch


More information about the grsecurity mailing list