diff options
author | Yoav Zach <yoav.zach@intel.com> | 2004-06-17 17:53:45 -0700 |
---|---|---|
committer | Linus Torvalds <torvalds@ppc970.osdl.org> | 2004-06-17 17:53:45 -0700 |
commit | c407c033de84b3987ccd0d1525c707e5be4bafb0 (patch) | |
tree | 689f5e669f64c590144e7646a0814ab3cd006bbe /Documentation | |
parent | 79baf43b978b7842a28d332d9015e5cae16ebf14 (diff) | |
download | history-c407c033de84b3987ccd0d1525c707e5be4bafb0.tar.gz |
[PATCH] binfmt_misc: improve calculation of interpreter's credentials
This patch allows for misc binaries to run with credentials and security
token that are calculated according to the binaries, and not according to the
interpreter, which is the legacy behavior of binfmt_misc.
The way it is done is by calling prepare_binprm, which is where these
attributes are calculated, before switching the 'file' field in the bprm from
the binary to the interpreter.
This feature should be used with care, since the interpreter will have root
permissions when running a setuid binary owned by root.
Please note -
- Only root can register an interpreter with binfmt_misc. The feature is
documented and the administrator is advised to handle it with care
- The new feature is enabled only with a special flag in the registration
string. When this flag is not specified the current behavior of
binfmt_misc is kept
- This is the only 'right' way for an interpreter to know the correct
AT_SECURE value for the interpreted binary
From: Chris Wright <chrisw@osdl.org>
This patchset looks OK, except for one problem. It installs the fd (which
could've been unreadable) without unsharing the ->files. So someone can use
this to read unreadable yet executable files. Here's a patch which fixes
that up. I added one bit that's commented out because I'm not positive if a
final steal_locks() is needed.
I did a fair amount of rearranging to simplify the error conditions
relative to the fd_install(), and unshare_files().
From: Chris Wright <chrisw@osdl.org>
I found that the intel patchset (and mine as well) leaked i_writecount on
the original executed file. In addition, I verified that the steal_locks()
bit is indeed needed.
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Diffstat (limited to 'Documentation')
-rw-r--r-- | Documentation/binfmt_misc.txt | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/Documentation/binfmt_misc.txt b/Documentation/binfmt_misc.txt index 8f8fb4a7730ac4..d097f09ee15ad2 100644 --- a/Documentation/binfmt_misc.txt +++ b/Documentation/binfmt_misc.txt @@ -48,6 +48,13 @@ Here is what the fields mean: the interpreter to execute non-readable binaries. This feature should be used with care - the interpreter has to be trusted not to emit the contents of the non-readable binary. + 'C' - credentials. Currently, the behavior of binfmt_misc is to calculate + the credentials and security token of the new process according to + the interpreter. When this flag is included, these attributes are + calculated according to the binary. It also implies the 'O' flag. + This feature should be used with care as the interpreter + will run with root permissions when a setuid binary owned by root + is run with binfmt_misc. There are some restrictions: |