Peter Samuelson <[EMAIL PROTECTED]> writes:
> Two easy "get out of jail free" cards. There are other, more complex
> exploits. You have added one more. They all require root privileges.
Unless I'm missing something, not all of them do. I haven't checked this
or anything, but it seems to me that all you need is a cooperating
process outside the jail, that opens some world-readable directory and
sends it to the exploit process inside the jail, which fchdir()s to
it. Of course you *do* need an AF_UNIX socket inside the jail for this,
too, so it is probably a quite unlikely attack; but if, for instance,
you reused an outside-the-jail uid *inside* the jail, and the jail had
places writable by this user... bing, no root necessary.
--
`The phrase `causes storage to be reserved', doesn't mean that it causes
storage to be reserved. This is a fundamental misunderstanding of
Standardeze.' --- Mike Stump on the GCC list
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
Please read the FAQ at http://www.tux.org/lkml/
