• Hugh Dickins's avatar
    fix setuid sometimes wouldn't · 7c2c7d99
    Hugh Dickins authored
    check_unsafe_exec() also notes whether the fs_struct is being
    shared by more threads than will get killed by the exec, and if so
    sets LSM_UNSAFE_SHARE to make bprm_set_creds() careful about euid.
    But /proc/<pid>/cwd and /proc/<pid>/root lookups make transient
    use of get_fs_struct(), which also raises that sharing count.
    
    This might occasionally cause a setuid program not to change euid,
    in the same way as happened with files->count (check_unsafe_exec
    also looks at sighand->count, but /proc doesn't raise that one).
    
    We'd prefer exec not to unshare fs_struct: so fix this in procfs,
    replacing get_fs_struct() by get_fs_path(), which does path_get
    while still holding task_lock, instead of raising fs->count.
    Signed-off-by: default avatarHugh Dickins <hugh@veritas.com>
    Cc: stable@kernel.org
    ___
    
     fs/proc/base.c |   50 +++++++++++++++--------------------------------
     1 file changed, 16 insertions(+), 34 deletions(-)
    Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    7c2c7d99
base.c 74.1 KB