aboutsummaryrefslogtreecommitdiffstats
path: root/fs/exec.c
diff options
context:
space:
mode:
authorHugh Dickins <hugh@veritas.com>2009-03-28 19:20:19 -0400
committerLinus Torvalds <torvalds@linux-foundation.org>2009-03-28 20:30:00 -0400
commite426b64c412aaa3e9eb3e4b261dc5be0d5a83e78 (patch)
treec1528139b34fef3e4595576266c64068098fe211 /fs/exec.c
parent53e9309e01277ec99c38e84e0ca16921287cf470 (diff)
fix setuid sometimes doesn't
Joe Malicki reports that setuid sometimes doesn't: very rarely, a setuid root program does not get root euid; and, by the way, they have a health check running lsof every few minutes. Right, check_unsafe_exec() notes whether the files_struct is being shared by more threads than will get killed by the exec, and if so sets LSM_UNSAFE_SHARE to make bprm_set_creds() careful about euid. But /proc/<pid>/fd and /proc/<pid>/fdinfo lookups make transient use of get_files_struct(), which also raises that sharing count. There's a rather simple fix for this: exec's check on files->count has been redundant ever since 2.6.1 made it unshare_files() (except while compat_do_execve() omitted to do so) - just remove that check. [Note to -stable: this patch will not apply before 2.6.29: earlier releases should just remove the files->count line from unsafe_exec().] Reported-by: Joe Malicki <jmalicki@metacarta.com> Narrowed-down-by: Michael Itz <mitz@metacarta.com> Tested-by: Joe Malicki <jmalicki@metacarta.com> Signed-off-by: Hugh Dickins <hugh@veritas.com> Cc: stable@kernel.org Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'fs/exec.c')
-rw-r--r--fs/exec.c10
1 files changed, 3 insertions, 7 deletions
diff --git a/fs/exec.c b/fs/exec.c
index b9f1c144b7a1..c5128fbc9165 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -1056,28 +1056,24 @@ EXPORT_SYMBOL(install_exec_creds);
1056 * - the caller must hold current->cred_exec_mutex to protect against 1056 * - the caller must hold current->cred_exec_mutex to protect against
1057 * PTRACE_ATTACH 1057 * PTRACE_ATTACH
1058 */ 1058 */
1059void check_unsafe_exec(struct linux_binprm *bprm, struct files_struct *files) 1059void check_unsafe_exec(struct linux_binprm *bprm)
1060{ 1060{
1061 struct task_struct *p = current, *t; 1061 struct task_struct *p = current, *t;
1062 unsigned long flags; 1062 unsigned long flags;
1063 unsigned n_fs, n_files, n_sighand; 1063 unsigned n_fs, n_sighand;
1064 1064
1065 bprm->unsafe = tracehook_unsafe_exec(p); 1065 bprm->unsafe = tracehook_unsafe_exec(p);
1066 1066
1067 n_fs = 1; 1067 n_fs = 1;
1068 n_files = 1;
1069 n_sighand = 1; 1068 n_sighand = 1;
1070 lock_task_sighand(p, &flags); 1069 lock_task_sighand(p, &flags);
1071 for (t = next_thread(p); t != p; t = next_thread(t)) { 1070 for (t = next_thread(p); t != p; t = next_thread(t)) {
1072 if (t->fs == p->fs) 1071 if (t->fs == p->fs)
1073 n_fs++; 1072 n_fs++;
1074 if (t->files == files)
1075 n_files++;
1076 n_sighand++; 1073 n_sighand++;
1077 } 1074 }
1078 1075
1079 if (atomic_read(&p->fs->count) > n_fs || 1076 if (atomic_read(&p->fs->count) > n_fs ||
1080 atomic_read(&p->files->count) > n_files ||
1081 atomic_read(&p->sighand->count) > n_sighand) 1077 atomic_read(&p->sighand->count) > n_sighand)
1082 bprm->unsafe |= LSM_UNSAFE_SHARE; 1078 bprm->unsafe |= LSM_UNSAFE_SHARE;
1083 1079
@@ -1300,7 +1296,7 @@ int do_execve(char * filename,
1300 bprm->cred = prepare_exec_creds(); 1296 bprm->cred = prepare_exec_creds();
1301 if (!bprm->cred) 1297 if (!bprm->cred)
1302 goto out_unlock; 1298 goto out_unlock;
1303 check_unsafe_exec(bprm, displaced); 1299 check_unsafe_exec(bprm);
1304 1300
1305 file = open_exec(filename); 1301 file = open_exec(filename);
1306 retval = PTR_ERR(file); 1302 retval = PTR_ERR(file);