Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 23 Apr 2009 13:49:21 +0800
From: Eugene Teo <eugene@...hat.com>
To: oss-security@...ts.openwall.com
CC: "Steven M. Christey" <coley@...us.mitre.org>
Subject: Re: CVE request: kernel: missing capabilities in fs_mask

Eugene Teo wrote:
> "When POSIX capabilities were introduced during the 2.1 Linux cycle, the
> fs mask, which represents the capabilities which having fsuid==0 is
> supposed to grant, did not include CAP_MKNOD and CAP_LINUX_IMMUTABLE.
> However, before capabilities the privilege to call these did in fact
> depend upon fsuid==0.
> 
> This patch introduces those capabilities into the fsmask, restoring the
> old behavior.
> 
> See the thread starting at http://lkml.org/lkml/2009/3/11/157 for reference.
> 
> Note that if this fix is deemed valid, then earlier kernel versions (2.4
> and 2.2) ought to be fixed too.
> 
> Changelog:
>  [Mar 23] Actually delete old CAP_FS_SET definition...
>  [Mar 20] Updated against J. Bruce Fields's patch"
> 
> References:
> https://bugzilla.redhat.com/show_bug.cgi?id=497047
> http://lwn.net/Articles/328572/?format=printable
> http://lwn.net/Articles/328594/?format=printable
> http://git.kernel.org/linus/0ad30b8fd5fe798aae80df6344b415d8309342cc

Here's the link to the kernel 2.4 patch:
http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.4.37.y.git;a=commitdiff;h=1c06d5237647db43cb2043a19cb393f4ed4d942f

Thanks, Eugene
-- 
Eugene Teo / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ