Date: Thu, 21 Sep 2000 17:48:42 -0700 (PDT) From: kris@freebsd.org To: freebsd-gnats-submit@FreeBSD.org Subject: kern/21463: Linux compatability mode should not allow setuid programs Message-ID: <20000922004842.1689137B43E@hub.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 21463 >Category: kern >Synopsis: Linux compatability mode should not allow setuid programs >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Sep 21 17:50:00 PDT 2000 >Closed-Date: >Last-Modified: >Originator: Kris Kennaway >Release: >Organization: >Environment: >Description: Linux compat mode should disallow the execution of setugid applications by default, to protect us against linux userland vulnerabilities as well as subtle interactions between the kernel privilege model in Linux and FreeBSD which may introduce security problems of its own (e.g. allowing a linux binary to do things which a freebsd native binary compiled from the same code cannot do) We don't have any setugid binaries installed from the linux_base and linux_devtools ports so this won't affect the default system. I suggest a sysctl, defaulting to off, which controls whether or not emulated binaries can run with privileges. This is also an issue with other binary compatability systems like SVR4 and should also be fixed there too. >How-To-Repeat: >Fix: >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000922004842.1689137B43E>