Re: [fuse-devel] fuse missing some capabilities

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Miklos Szeredi wrote:
>>Quote: "Thanks for the reply. I don"t have selinux setup but I started looking
>>around in the debian kernel-source for my kernel version after you
>>mentioned it. There is a security subdir in the kernel tree and a
>>security subdir in the /lib/modules which had a capability.ko module
>>in it.
>>The module wasn"t loaded which is why capset was failing."
>>
>>How about you at least write this on the page (or the INSTALL or README) or
>>maybe file a dependency of the fuse module on this module.
>>    
>
>Good point.  I'll do that.  It was not clear whether this was an
>individual problem or something more widespread.  
>
>  
>>As far as I understand it is so that if this module exists
>>(capability - in e.g. debian kernels or probably selinux kernels)
>>fuse depends on it, right?
>>    
>
>On debian kernels that I tried FUSE works without needing 'modprobe
>capability'.  Does it solve your problem?
>
>  

Is it possible that loading capability.ko is just causing a side effect 
that allows fuse to get the necessary capability?  I ask because I just 
saw this security announcement on LWN (emphasis added):

kernel: race condition, privilege escalation
*Package(s)*: 	linux-source-2.6.8.1 	*CVE #(s)*: 	CAN-2004-1235 
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1235> 
CAN-2004-1337 
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1337>
*Created*: 	January 10, 2005 	*Updated*: 	January 12, 2005
*Description*: 	Paul Starzetz discovered a race condition in the ELF 
library and a.out binary format loaders, which can be locally exploited 
in several different ways to gain root privileges. (CAN-2004-1235)

*Liang Bin found a design flaw in the capability module. After this 
module was loaded on demand in a running system, all unprivileged user 
space processes got all kernel capabilities (thus essentially root 
privileges). (CAN-2004-1337)*

*Alerts*: 	
Fedora 	FEDORA-2005-013 <http://lwn.net/Alerts/118595/> 	2005-01-10
Fedora 	FEDORA-2005-014 <http://lwn.net/Alerts/118594/> 	2005-01-10
Ubuntu 	USN-57-1 <http://lwn.net/Alerts/118510/> 	2005-01-09