-
Paolo \'Blaisorblade\' Giarrusso authored
Frank Fricke reported that hostfs does not verify that a chmod +s, for instance, is done by a sufficiently privileged user, as long as the UML kernel itself can complete the operation on the host. So, for instance, if UML is run as root and under /mnt/host we have a hostfs mount, this works successfully: paolo@zion:~ (0)$ chmod 4755 /mnt/host/bin/bash paolo@zion:~ (0)$ ll /mnt/host/bin/bash -rwsr-xr-x 1 root root 662724 2004-10-20 02:15 /mnt/host/bin/bash* (bash refuses running as setuid, but you could have another shell on the host, as dash or whatever). In general, if UML is run as uid 500 on the host, a hostfs mount is done and under the hostfs mount there is a file with uid 500 on the host, I can freely make it setuid (if it's executable). This is especially bad when UML is run as root (which you should not do), but is a problem in general, since it allows any user to create setuid 500 (in this example) executables on the host filesystem. Finally, while I was looking at the chmod() implementation, I spotted a kludge in the code and explained it with a comment. Signed-off-by: Paolo 'Blaisorblade' Giarrusso <blaisorblade@yahoo.it> Cc: Frank 'xraz' Fricke <xraz@rwxr-xr-x.de> Cc: Alexander Viro <viro@parcelfarce.linux.theplanet.co.uk> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
fe1fd25e