Description of problem: a user can execute suid binaries even when not having exec permission for them by calling suid_libia32x.so and passing it a file descriptor of the suid binary open for read. Version-Release number of selected component (if applicable): suid_libia32x.so : 4602 How reproducible: Steps to Reproduce: 1. prepare a root owned setuid binary - 'exec_as_root' 2. deny exec rights from a regular user - 'johndoe' 3. prepare a program 'xx' that opens 'exec_as_root' for reading and then calls execl ("/usr/lib/ia32el/suid_libia32x.so", "suid_libia32x.so", fd_str, NULL); where fd_str is a string containing the fd of exec_as_root Actual results: exec_as_root will be executed Expected results: permission denied Additional info:
Created attachment 101330 [details] fixes the problem with suid_libia32x.so the patch addes to suid_libia32x.so a check for exec permissions before starting emulation of the 32 bit binary.
in 'steps to reproduce' above - the exec_as_root needs to be i386 binary