diff options
| author | Hugh Dickins <hugh@veritas.com> | 2009-03-28 19:20:19 -0400 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2009-03-28 20:30:00 -0400 |
| commit | e426b64c412aaa3e9eb3e4b261dc5be0d5a83e78 (patch) | |
| tree | c1528139b34fef3e4595576266c64068098fe211 /fs/exec.c | |
| parent | 53e9309e01277ec99c38e84e0ca16921287cf470 (diff) | |
fix setuid sometimes doesn't
Joe Malicki reports that setuid sometimes doesn't: very rarely,
a setuid root program does not get root euid; and, by the way,
they have a health check running lsof every few minutes.
Right, check_unsafe_exec() notes whether the files_struct is being
shared by more threads than will get killed by the exec, and if so
sets LSM_UNSAFE_SHARE to make bprm_set_creds() careful about euid.
But /proc/<pid>/fd and /proc/<pid>/fdinfo lookups make transient
use of get_files_struct(), which also raises that sharing count.
There's a rather simple fix for this: exec's check on files->count
has been redundant ever since 2.6.1 made it unshare_files() (except
while compat_do_execve() omitted to do so) - just remove that check.
[Note to -stable: this patch will not apply before 2.6.29: earlier
releases should just remove the files->count line from unsafe_exec().]
Reported-by: Joe Malicki <jmalicki@metacarta.com>
Narrowed-down-by: Michael Itz <mitz@metacarta.com>
Tested-by: Joe Malicki <jmalicki@metacarta.com>
Signed-off-by: Hugh Dickins <hugh@veritas.com>
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'fs/exec.c')
| -rw-r--r-- | fs/exec.c | 10 |
1 files changed, 3 insertions, 7 deletions
| @@ -1056,28 +1056,24 @@ EXPORT_SYMBOL(install_exec_creds); | |||
| 1056 | * - the caller must hold current->cred_exec_mutex to protect against | 1056 | * - the caller must hold current->cred_exec_mutex to protect against |
| 1057 | * PTRACE_ATTACH | 1057 | * PTRACE_ATTACH |
| 1058 | */ | 1058 | */ |
| 1059 | void check_unsafe_exec(struct linux_binprm *bprm, struct files_struct *files) | 1059 | void check_unsafe_exec(struct linux_binprm *bprm) |
| 1060 | { | 1060 | { |
| 1061 | struct task_struct *p = current, *t; | 1061 | struct task_struct *p = current, *t; |
| 1062 | unsigned long flags; | 1062 | unsigned long flags; |
| 1063 | unsigned n_fs, n_files, n_sighand; | 1063 | unsigned n_fs, n_sighand; |
| 1064 | 1064 | ||
| 1065 | bprm->unsafe = tracehook_unsafe_exec(p); | 1065 | bprm->unsafe = tracehook_unsafe_exec(p); |
| 1066 | 1066 | ||
| 1067 | n_fs = 1; | 1067 | n_fs = 1; |
| 1068 | n_files = 1; | ||
| 1069 | n_sighand = 1; | 1068 | n_sighand = 1; |
| 1070 | lock_task_sighand(p, &flags); | 1069 | lock_task_sighand(p, &flags); |
| 1071 | for (t = next_thread(p); t != p; t = next_thread(t)) { | 1070 | for (t = next_thread(p); t != p; t = next_thread(t)) { |
| 1072 | if (t->fs == p->fs) | 1071 | if (t->fs == p->fs) |
| 1073 | n_fs++; | 1072 | n_fs++; |
| 1074 | if (t->files == files) | ||
| 1075 | n_files++; | ||
| 1076 | n_sighand++; | 1073 | n_sighand++; |
| 1077 | } | 1074 | } |
| 1078 | 1075 | ||
| 1079 | if (atomic_read(&p->fs->count) > n_fs || | 1076 | if (atomic_read(&p->fs->count) > n_fs || |
| 1080 | atomic_read(&p->files->count) > n_files || | ||
| 1081 | atomic_read(&p->sighand->count) > n_sighand) | 1077 | atomic_read(&p->sighand->count) > n_sighand) |
| 1082 | bprm->unsafe |= LSM_UNSAFE_SHARE; | 1078 | bprm->unsafe |= LSM_UNSAFE_SHARE; |
| 1083 | 1079 | ||
| @@ -1300,7 +1296,7 @@ int do_execve(char * filename, | |||
| 1300 | bprm->cred = prepare_exec_creds(); | 1296 | bprm->cred = prepare_exec_creds(); |
| 1301 | if (!bprm->cred) | 1297 | if (!bprm->cred) |
| 1302 | goto out_unlock; | 1298 | goto out_unlock; |
| 1303 | check_unsafe_exec(bprm, displaced); | 1299 | check_unsafe_exec(bprm); |
| 1304 | 1300 | ||
| 1305 | file = open_exec(filename); | 1301 | file = open_exec(filename); |
| 1306 | retval = PTR_ERR(file); | 1302 | retval = PTR_ERR(file); |