On 10/31, Daniel Colascione wrote: > > > Confused... why? kill_ok_by_cred() should fail? > > Not if we don't run it. :-) I thought you were proposing that we do > *all* access checks in open() and let write() succeed unconditionally,
Ah, no ;) > Anyway, I sent a v2 patch that I think closes the hole another way. In > v2, we just require that the real user ID that opens a /proc/pid/kill > file is the same one that writes to it. It successfully blocks the > setuid attack above while preserving all the write-time permission > checks and keeping the close correspondence between > write()-on-proc-pid-kill-fd and kill(2). Can you think of any > situation where this scheme breaks? I see no problems... but again, perhaps we should fix kill_pid_info_as_cred() and use it in /proc/pid/kill? I dunno. Oleg.
