Description of problem: When creating a file, open()/creat() allows the setgid bit to be set via the mode argument even when, due to the bsdgroups mount option or the file being created in a setgid directory, the new file's group is one which the user is not a member of. The user can then use ftruncate() and memory-mapped I/O to turn the new file into an arbitrary binary and thus gain the privileges of this group, since these operations do not clear the setgid bit.
Reference: http://bugzilla.kernel.org/show_bug.cgi?id=8420
Created attachment 317560 [details] Reproducer (public)
Proposed upstream patch: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=7b82dc0e64e93f430182f36b46b79fcee87d3532
Additional references: http://article.gmane.org/gmane.comp.security.oss.general/974
(In reply to comment #7) > Proposed upstream patch: > http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=7b82dc0e64e93f430182f36b46b79fcee87d3532 This should include commit 01de85e057328ecbef36e108673b1e81059d54c1 as well.
http://marc.info/?l=linux-kernel&m=101812479210977&w=2
(In reply to comment #18) > http://marc.info/?l=linux-kernel&m=101812479210977&w=2 More references: http://marc.info/?l=linux-kernel&m=101811359004161&w=2 http://marc.info/?l=linux-kernel&m=101811887207549&w=2
is there a RHSA coming for this for RH 4, a la http://www.redhat.com/support/errata/RHSA-2008-0957.html
This was addressed via: Red Hat Linux Advanced Workstation 2.1 (RHSA-2008:0787) Red Hat Enterprise Linux version 5 (RHSA-2008:0957) Red Hat Enterprise Linux version 4 (RHSA-2008:0972) Red Hat Enterprise Linux version 3 (RHSA-2008:0973) Red Hat Enterprise Linux version 2.1 (RHSA-2009:0001)