Re: COSEINC Linux Advisory #1: Linux Kernel Parent Process Death Signal Vulnerability
On Tue, 14 Aug 2007, Wojciech Purczynski wrote:
>
> Small correction - I forgot to add setuid(0) ;)
>
> PARENT CHILD
> ----------------------------------------------------------------
> fork()
> prctl(PR_SET_PDEATHSIG)
> execve("/bin/setuid-binary")
> setuid(0)
> exit()'ed or killed
> child receives NO signal this time
>
>
> PARENT CHILD
> ----------------------------------------------------------------
> fork()
> prctl(PR_SET_PDEATHSIG)
> execve("/bin/setuid-binary")
> setuid(0)
> execve("/bin/setuid-binary")
> exit()'ed or killed
> privileged process receives the signal
>
This doesn't change anything in what I said previously. If the sender's EUID or
RUID equals to any of SUID or RUID of the victim or the sender process is root,
the sender can send any signal to the victim; if none of those conditions are
met, it obviously can't, no matter how and what signal it sends. For details
look at check_kill_permission() and group_send_sig_info() in kernel/signal.c
and reparent_thread() in kernel/exit.c in the kernel source tree (version
2.6.22).
--
Sincerely Your, Dan.