LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Spengler: False Boundaries and Arbitrary Code Execution

Spengler: False Boundaries and Arbitrary Code Execution

Posted Jan 6, 2011 16:48 UTC (Thu) by nye (guest, #51576)
Parent article: Spengler: False Boundaries and Arbitrary Code Execution

Some of these capabilities seem so obviously and trivially equivalent to having uid 0 that I wonder if I'm missing something. For example, in what cases would CAP_SET_UID or CAP_CHOWN be useful? Surely you may as well be running as root already.

(Log in to post comments)

Spengler: False Boundaries and Arbitrary Code Execution

Posted Jan 6, 2011 17:49 UTC (Thu) by unBrice (guest, #72229) [Link]

You might be inside a chroot-like and only have access to your own files on a filesystem mounted with nosuid,…

Spengler: False Boundaries and Arbitrary Code Execution

Posted Jan 6, 2011 19:24 UTC (Thu) by spender (subscriber, #23067) [Link]

chroot doesn't matter: in 2002 I wrote in the French MISC magazine 11 ways to break out of a chroot jail. One of them applies here: chroot doesn't matter if you have CAP_SETUID, in fact CAP_SETUID is basically equivalent to CAP_SYS_PTRACE. If i can change to any UID, then I can effectively ptrace any process (including those running outside of the chroot) giving me full control of the host system.

-Brad

Spengler: False Boundaries and Arbitrary Code Execution

Posted Jan 7, 2011 8:23 UTC (Fri) by job (guest, #670) [Link]

Is this article online?

Spengler: False Boundaries and Arbitrary Code Execution

Posted Jan 7, 2011 11:38 UTC (Fri) by Aissen (subscriber, #59976) [Link]

I found it here, but it's in french:
http://www.touslesreseaux.com/forum/index.php?showtopic=40

Funny, I think I might still have the magazine (Misc 9) in a box somewhere…

Spengler: False Boundaries and Arbitrary Code Execution

Posted Jan 11, 2011 14:29 UTC (Tue) by job (guest, #670) [Link]

"Page non trouvée". (404)

Spengler: False Boundaries and Arbitrary Code Execution

Posted Jan 11, 2011 14:52 UTC (Tue) by Aissen (subscriber, #59976) [Link]

Seems like I made someone remember about this installed forum, and the article in it by linking to it.

But webarchive still has it:
http://web.archive.org/web/20080609074507/http://www.tous...

Also, a quick pastebin of the text & html versions of the article:
http://pastebin.com/kjCqFnv1

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds