diff options
author | Hugh Dickins <hugh@veritas.com> | 2009-03-28 19:20:19 -0400 |
---|---|---|
committer | Linus Torvalds <torvalds@linux-foundation.org> | 2009-03-28 20:30:00 -0400 |
commit | e426b64c412aaa3e9eb3e4b261dc5be0d5a83e78 (patch) | |
tree | c1528139b34fef3e4595576266c64068098fe211 /fs/compat.c | |
parent | 53e9309e01277ec99c38e84e0ca16921287cf470 (diff) |
fix setuid sometimes doesn't
Joe Malicki reports that setuid sometimes doesn't: very rarely,
a setuid root program does not get root euid; and, by the way,
they have a health check running lsof every few minutes.
Right, check_unsafe_exec() notes whether the files_struct is being
shared by more threads than will get killed by the exec, and if so
sets LSM_UNSAFE_SHARE to make bprm_set_creds() careful about euid.
But /proc/<pid>/fd and /proc/<pid>/fdinfo lookups make transient
use of get_files_struct(), which also raises that sharing count.
There's a rather simple fix for this: exec's check on files->count
has been redundant ever since 2.6.1 made it unshare_files() (except
while compat_do_execve() omitted to do so) - just remove that check.
[Note to -stable: this patch will not apply before 2.6.29: earlier
releases should just remove the files->count line from unsafe_exec().]
Reported-by: Joe Malicki <jmalicki@metacarta.com>
Narrowed-down-by: Michael Itz <mitz@metacarta.com>
Tested-by: Joe Malicki <jmalicki@metacarta.com>
Signed-off-by: Hugh Dickins <hugh@veritas.com>
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'fs/compat.c')
-rw-r--r-- | fs/compat.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/fs/compat.c b/fs/compat.c index b543363dd625..55efdfebdf5a 100644 --- a/fs/compat.c +++ b/fs/compat.c | |||
@@ -1441,7 +1441,7 @@ int compat_do_execve(char * filename, | |||
1441 | bprm->cred = prepare_exec_creds(); | 1441 | bprm->cred = prepare_exec_creds(); |
1442 | if (!bprm->cred) | 1442 | if (!bprm->cred) |
1443 | goto out_unlock; | 1443 | goto out_unlock; |
1444 | check_unsafe_exec(bprm, current->files); | 1444 | check_unsafe_exec(bprm); |
1445 | 1445 | ||
1446 | file = open_exec(filename); | 1446 | file = open_exec(filename); |
1447 | retval = PTR_ERR(file); | 1447 | retval = PTR_ERR(file); |