diff options
| author | Hugh Dickins <hugh@veritas.com> | 2009-03-28 23:20:19 +0000 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@suse.de> | 2009-05-08 15:45:06 -0700 |
| commit | 47fc5f8d08deb87841757643affa95eeeda3c39d (patch) | |
| tree | 206eb1c16c86b64b03f900569ff4b8dfff2185a7 | |
| parent | 3d068235e6c8580431f47254b71f75b1e70e6b26 (diff) | |
fix setuid sometimes doesn't
commit e426b64c412aaa3e9eb3e4b261dc5be0d5a83e78 upstream.
Joe Malicki reports that setuid sometimes doesn't: very rarely,
a setuid root program does not get root euid; and, by the way,
they have a health check running lsof every few minutes.
Right, check_unsafe_exec() notes whether the files_struct is being
shared by more threads than will get killed by the exec, and if so
sets LSM_UNSAFE_SHARE to make bprm_set_creds() careful about euid.
But /proc/<pid>/fd and /proc/<pid>/fdinfo lookups make transient
use of get_files_struct(), which also raises that sharing count.
There's a rather simple fix for this: exec's check on files->count
has been redundant ever since 2.6.1 made it unshare_files() (except
while compat_do_execve() omitted to do so) - just remove that check.
[Note to -stable: this patch will not apply before 2.6.29: earlier
releases should just remove the files->count line from unsafe_exec().]
Reported-by: Joe Malicki <jmalicki@metacarta.com>
Narrowed-down-by: Michael Itz <mitz@metacarta.com>
Tested-by: Joe Malicki <jmalicki@metacarta.com>
Signed-off-by: Hugh Dickins <hugh@veritas.com>
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
| -rw-r--r-- | fs/compat.c | 2 | ||||
| -rw-r--r-- | fs/exec.c | 10 | ||||
| -rw-r--r-- | fs/internal.h | 2 |
3 files changed, 5 insertions, 9 deletions
diff --git a/fs/compat.c b/fs/compat.c index 2b1a8c442404..59b8a10e6554 100644 --- a/fs/compat.c +++ b/fs/compat.c @@ -1412,7 +1412,7 @@ int compat_do_execve(char * filename, bprm->cred = prepare_exec_creds(); if (!bprm->cred) goto out_unlock; - check_unsafe_exec(bprm, current->files); + check_unsafe_exec(bprm); file = open_exec(filename); retval = PTR_ERR(file); diff --git a/fs/exec.c b/fs/exec.c index 929b58004b7e..91c55c41188f 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -1049,28 +1049,24 @@ EXPORT_SYMBOL(install_exec_creds); * - the caller must hold current->cred_exec_mutex to protect against * PTRACE_ATTACH */ -void check_unsafe_exec(struct linux_binprm *bprm, struct files_struct *files) +void check_unsafe_exec(struct linux_binprm *bprm) { struct task_struct *p = current, *t; unsigned long flags; - unsigned n_fs, n_files, n_sighand; + unsigned n_fs, n_sighand; bprm->unsafe = tracehook_unsafe_exec(p); n_fs = 1; - n_files = 1; n_sighand = 1; lock_task_sighand(p, &flags); for (t = next_thread(p); t != p; t = next_thread(t)) { if (t->fs == p->fs) n_fs++; - if (t->files == files) - n_files++; n_sighand++; } if (atomic_read(&p->fs->count) > n_fs || - atomic_read(&p->files->count) > n_files || atomic_read(&p->sighand->count) > n_sighand) bprm->unsafe |= LSM_UNSAFE_SHARE; @@ -1289,7 +1285,7 @@ int do_execve(char * filename, bprm->cred = prepare_exec_creds(); if (!bprm->cred) goto out_unlock; - check_unsafe_exec(bprm, displaced); + check_unsafe_exec(bprm); file = open_exec(filename); retval = PTR_ERR(file); diff --git a/fs/internal.h b/fs/internal.h index 0d8ac497b3d5..53af885f1732 100644 --- a/fs/internal.h +++ b/fs/internal.h @@ -43,7 +43,7 @@ extern void __init chrdev_init(void); /* * exec.c */ -extern void check_unsafe_exec(struct linux_binprm *, struct files_struct *); +extern void check_unsafe_exec(struct linux_binprm *); /* * namespace.c |