oss-sec mailing list archives
Re: CVE request: kernel: missing capabilities in fs_mask
From: Eugene Teo <eugene () redhat com>
Date: Thu, 23 Apr 2009 13:49:21 +0800
Eugene Teo wrote:
"When POSIX capabilities were introduced during the 2.1 Linux cycle, the fs mask, which represents the capabilities which having fsuid==0 is supposed to grant, did not include CAP_MKNOD and CAP_LINUX_IMMUTABLE. However, before capabilities the privilege to call these did in fact depend upon fsuid==0. This patch introduces those capabilities into the fsmask, restoring the old behavior. See the thread starting at http://lkml.org/lkml/2009/3/11/157 for reference. Note that if this fix is deemed valid, then earlier kernel versions (2.4 and 2.2) ought to be fixed too. Changelog: [Mar 23] Actually delete old CAP_FS_SET definition... [Mar 20] Updated against J. Bruce Fields's patch" References: https://bugzilla.redhat.com/show_bug.cgi?id=497047 http://lwn.net/Articles/328572/?format=printable http://lwn.net/Articles/328594/?format=printable http://git.kernel.org/linus/0ad30b8fd5fe798aae80df6344b415d8309342cc
Here's the link to the kernel 2.4 patch: http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.4.37.y.git;a=commitdiff;h=1c06d5237647db43cb2043a19cb393f4ed4d942f Thanks, Eugene -- Eugene Teo / Red Hat Security Response Team
Current thread:
- CVE request: kernel: missing capabilities in fs_mask Eugene Teo (Apr 22)
- Re: CVE request: kernel: missing capabilities in fs_mask Eugene Teo (Apr 22)
- Re: CVE request: kernel: missing capabilities in fs_mask Steven M. Christey (Apr 24)
- Re: CVE request: kernel: missing capabilities in fs_mask Eugene Teo (Apr 25)
- VDBs (was Re: [oss-security] CVE request: kernel: missing capabilities in fs_mask) security curmudgeon (Apr 25)
- Re: CVE request: kernel: missing capabilities in fs_mask Eugene Teo (Apr 25)