oss-sec mailing list archives
Re: CVE-2021-44731: Race condition in snap-confine's setup_private_mount()
From: Simon McVittie <smcv () debian org>
Date: Wed, 23 Feb 2022 11:33:04 +0000
On Wed, 23 Feb 2022 at 08:54:49 +0100, Wire Snark wrote:
Why it isn't possible to copy the snap-confine binary into a directory for the same effect -- instead of hardlinking it?
If you copy a file you don't own, then the copy is owned by you, and has
permissions controlled by you: in particular, if you're not root, then the
copy can't be setuid root.
If you hard-link a file you don't own (which some kernel configurations
don't allow), then that filename points to the same inode as the original
filename, so it has the same ownership and permissions as the original file
(and in particular it's still setuid root).
smcv
Current thread:
- CVE-2021-44731: Race condition in snap-confine's setup_private_mount() Qualys Security Advisory (Feb 17)
- Re: CVE-2021-44731: Race condition in snap-confine's setup_private_mount() Wire Snark (Feb 23)
- Re: CVE-2021-44731: Race condition in snap-confine's setup_private_mount() Simon McVittie (Feb 23)
- Re: CVE-2021-44731: Race condition in snap-confine's setup_private_mount() Wire Snark (Feb 23)