It can happen that a root application doing:
setuid(newuid);
<- ptrace_attach();
exec(...);
exit(1);
is raced by an application running under "newuid" and is ptrace-attached
and its memory is peek/poke.
The patch add a new "exec uid" that is set only after the complete detach
from the old process context is done. The ptrace's may_attach() function
is also changed to check that the attacher xuid matches the attached xuid.
Signed-off-by: Davide Libenzi <davidel@xmailserver.org>
- Davide
---
fs/exec.c | 2 ++
include/linux/sched.h | 2 +-
kernel/ptrace.c | 1 +
3 files changed, 4 insertions(+), 1 deletion(-)
Index: linux-2.6.mod/fs/exec.c
===================================================================
--- linux-2.6.mod.orig/fs/exec.c 2007-06-28 11:45:06.000000000 -0700
+++ linux-2.6.mod/fs/exec.c 2007-06-28 11:45:20.000000000 -0700
@@ -905,6 +905,8 @@
flush_signal_handlers(current, 0);
flush_old_files(current->files);
+ current->xuid = current->uid;
+
return 0;
mmap_failed:
Index: linux-2.6.mod/include/linux/sched.h
===================================================================
--- linux-2.6.mod.orig/include/linux/sched.h 2007-06-28 11:45:20.000000000 -0700
+++ linux-2.6.mod/include/linux/sched.h 2007-06-28 11:45:20.000000000 -0700
@@ -917,7 +917,7 @@
struct list_head cpu_timers[3];
/* process credentials */
- uid_t uid,euid,suid,fsuid;
+ uid_t uid,euid,suid,fsuid,xuid;
gid_t gid,egid,sgid,fsgid;
struct group_info *group_info;
kernel_cap_t cap_effective, cap_inheritable, cap_permitted;
Index: linux-2.6.mod/kernel/ptrace.c
===================================================================
--- linux-2.6.mod.orig/kernel/ptrace.c 2007-06-28 11:45:06.000000000 -0700
+++ linux-2.6.mod/kernel/ptrace.c 2007-06-28 11:45:20.000000000 -0700
@@ -135,6 +135,7 @@
return 0;
if (((current->uid != task->euid) ||
(current->uid != task->suid) ||
+ (current->xuid != task->xuid) ||
(current->uid != task->uid) ||
(current->gid != task->egid) ||
(current->gid != task->sgid) ||
-
