Date: Fri, 25 Feb 2011 15:10:10 +0300 From: Vasiliy Kulikov <segoon@...nwall.com> To: oss-security@...ts.openwall.com Subject: Re: CVE request: kernel: /sys/kernel/debug/acpi/custom_method can bypass module restrictions Kees, On Thu, Feb 24, 2011 at 16:32 -0800, Kees Cook wrote: > Having a system with acpi and debugfs built into the kernel allows > a uid=0 user (without capabilities, e.g. in containers) Does it fit into any current security model? I mean that containers of vanilla kernel are not fully restricted, neither sysfs or procfs differ much in different namespaces. If one may locate one sysfs file it may locate all of them (chrooting into /sys is rather pointless :-D); with sysfs one may change many hardware setting, they are driver-dependend, but still very sensitive. With /proc/sys/ one (inside of namespace constainer) may change sysctl settings. I suppose that it is not hard to gain full root in such situation even without any bugs in sysfs file read/write implementations (I didn't tried it, though). UID 0 without capabilities has not been made really unprivileged yet. It makes sense only within namespace container without any virtual filesystem which handles permissions with uid/gid checks (not CAP_*). But this is rather strange. Thanks, -- Vasiliy
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.