[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CAP_SETUID, does is have a family in the kernel ?

To: kernel-audit@nl.linux.org
Subject: CAP_SETUID, does is have a family in the kernel ?
From: Bryan Paxton <evil7@bellsouth.net>
Date: Fri, 9 Jun 2000 15:05:05 -0500 (CDT)
Sender: owner-kernel-audit@nl.linux.org

I thought I would touch on the recent CAP_SETUID bug/hole in the kernel.
Better to start at the most recent problem IMHO.
As you know this affects kernels < 2.2.16 and 2.3.x kernels(with the
acception of -ac11). 

A good explanation of to exploit this and/or how it works can be found at

http://sendmail.net/?feed=000607linuxbug#two

Could this possibly have a cousin lying around else where in 
the kernel ? 

I think so, the probality of something like this having cousin is very
high. The critical value of stomping this out is also high. 
So I issue a first task: 
To audit the kernels 2.2.x and 2.3.x for a cousin or a function() similar.
But where does everyone begin ?

I feel that a security audit divided into sections will benifit more than 
everyman for his own diving into various parts of the kernel. 

Where do I personally think we should start ?
/usr/src/linux*/fs/

Where better to start than fs, particulary with our devil friend NFS.

All flame/feedback/whatever is encouraged.




 


Kernel-audit:  discussion list for security and the linux kernel
Archive:       http://mail.nl.linux.org/kernel-audit/

Prev by Date: LKAP webpage
Next by Date: Mission statement for LKAP(Linux kernel auditing project)
Prev by thread: LKAP webpage
Next by thread: #kernel-audit on irc.openprojects.net
Index(es):
- Date
- Thread