From: Valient G. <vg...@po...> - 2005-01-13 15:17:58
|
Miklos Szeredi wrote: >>Quote: "Thanks for the reply. I don"t have selinux setup but I started looking >>around in the debian kernel-source for my kernel version after you >>mentioned it. There is a security subdir in the kernel tree and a >>security subdir in the /lib/modules which had a capability.ko module >>in it. >>The module wasn"t loaded which is why capset was failing." >> >>How about you at least write this on the page (or the INSTALL or README) or >>maybe file a dependency of the fuse module on this module. >> > >Good point. I'll do that. It was not clear whether this was an >individual problem or something more widespread. > > >>As far as I understand it is so that if this module exists >>(capability - in e.g. debian kernels or probably selinux kernels) >>fuse depends on it, right? >> > >On debian kernels that I tried FUSE works without needing 'modprobe >capability'. Does it solve your problem? > > Is it possible that loading capability.ko is just causing a side effect that allows fuse to get the necessary capability? I ask because I just saw this security announcement on LWN (emphasis added): kernel: race condition, privilege escalation *Package(s)*: linux-source-2.6.8.1 *CVE #(s)*: CAN-2004-1235 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1235> CAN-2004-1337 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1337> *Created*: January 10, 2005 *Updated*: January 12, 2005 *Description*: Paul Starzetz discovered a race condition in the ELF library and a.out binary format loaders, which can be locally exploited in several different ways to gain root privileges. (CAN-2004-1235) *Liang Bin found a design flaw in the capability module. After this module was loaded on demand in a running system, all unprivileged user space processes got all kernel capabilities (thus essentially root privileges). (CAN-2004-1337)* *Alerts*: Fedora FEDORA-2005-013 <http://lwn.net/Alerts/118595/> 2005-01-10 Fedora FEDORA-2005-014 <http://lwn.net/Alerts/118594/> 2005-01-10 Ubuntu USN-57-1 <http://lwn.net/Alerts/118510/> 2005-01-09 |