linux/kernel/sys.c, branch v2.6.16.37-rc1 Linux kernel source tree https://git.amat.us/linux/atom/kernel/sys.c?h=v2.6.16.37-rc1 2006-07-06T20:05:42Z fix prctl privilege escalation and suid_dumpable (CVE-2006-2451) 2006-07-06T20:05:42Z Greg Kroah-Hartman gregkh@suse.de 2006-07-06T20:05:42Z urn:sha1:9e4e45f19bdd41b4091e5fe556f816f4046c7598 Based on a patch from Ernie Petrides During security research, Red Hat discovered a behavioral flaw in core dump handling. A local user could create a program that would cause a core file to be dumped into a directory they would not normally have permissions to write to. This could lead to a denial of service (disk consumption), or allow the local user to gain root privileges. Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> [PATCH] RLIMIT_CPU: fix handling of a zero limit 2006-04-17T20:16:06Z Andrew Morton akpm@osdl.org 2006-03-24T11:18:35Z urn:sha1:284a7c99c01846ee44040268529c99fc92dcc531 At present the kernel doesn't honour an attempt to set RLIMIT_CPU to zero seconds. But the spec says it should, and that's what 2.4.x does. Fixing this for real would involve some complexity (such as adding a new it-has-been-set flag to the task_struct, and testing that everwhere, instead of overloading the value of it_prof_expires). Given that a 2.4 kernel won't actually send the signal until one second has expired anyway, let's just handle this case by treating the caller's zero-seconds as one second. Cc: Martin Schwidefsky <schwidefsky@de.ibm.com> Cc: Ulrich Weigand <uweigand@de.ibm.com> Cc: Cliff Wickman <cpw@sgi.com> Acked-by: Ingo Molnar <mingo@elte.hu> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org> [PATCH] kernel/sys.c NULL noise removal 2006-02-08T01:57:47Z Al Viro viro@zeniv.linux.org.uk 2006-02-01T10:57:32Z urn:sha1:4bb8089c86b95b4f6bbd839cb83ca4556b06a031 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> [ACPI] merge 3549 4320 4485 4588 4980 5483 5651 acpica asus fops pnpacpi branches into release 2006-01-24T22:52:48Z Len Brown len.brown@intel.com 2006-01-24T22:52:48Z urn:sha1:9fdb62af92c741addbea15545f214a6e89460865 Signed-off-by: Len Brown <len.brown@intel.com> [PATCH] move capable() to capability.h 2006-01-12T02:42:13Z Randy.Dunlap rdunlap@xenotime.net 2006-01-11T20:17:46Z urn:sha1:c59ede7b78db329949d9cdcd7064e22d357560ef - Move capable() from sched.h to capability.h; - Use <linux/capability.h> where capable() is used (in include/, block/, ipc/, kernel/, a few drivers/, mm/, security/, & sound/; many more drivers/ to go) Signed-off-by: Randy Dunlap <rdunlap@xenotime.net> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org> [PATCH] uninline capable() 2006-01-12T02:42:13Z Ingo Molnar mingo@elte.hu 2006-01-11T20:17:45Z urn:sha1:e16885c5ad624a6efe1b1bf764e075d75f65a788 Uninline capable(). Saves 2K of kernel text on a generic .config, and 1K on a tiny config. In addition it makes the use of capable more consistent between CONFIG_SECURITY and !CONFIG_SECURITY Signed-off-by: Ingo Molnar <mingo@elte.hu> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org> [PATCH] simplify k_getrusage() 2006-01-09T04:14:09Z Oleg Nesterov oleg@tv-sign.ru 2006-01-08T09:05:15Z urn:sha1:0f59cc4a35dbbc45c972daad0f1b063380cd9ea4 Factor out common code for different RUSAGE_xxx cases. Don't take ->sighand->siglock in RUSAGE_SELF case, suggested by Ravikiran G Thirumalai <kiran@scalex86.org>. Signed-off-by: Oleg Nesterov <oleg@tv-sign.ru> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org> [PATCH] setpgid: should not accept ptraced childs 2006-01-09T04:14:01Z Oleg Nesterov oleg@tv-sign.ru 2006-01-08T09:03:59Z urn:sha1:f7dd795e913656c390b6bde27790c518973feea1 sys_setpgid() allows to change ->pgrp of ptraced childs. 'man setpgid' does not tell anything about that, so I consider this behaviour is a bug. Signed-off-by: Oleg Nesterov <oleg@tv-sign.ru> Cc: Oren Laadan <orenl@cs.columbia.edu> Cc: Roland McGrath <roland@redhat.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org> [PATCH] setpgid: should work for sub-threads 2006-01-09T04:14:01Z Oren Laadan orenl@cs.columbia.edu 2006-01-08T09:03:58Z urn:sha1:e19f247a3dbd85485ec13174817ae9c2478fe541 setsid() does not work unless the calling process is a thread_group_leader(). 'man setpgid' does not tell anything about that, so I consider this behaviour is a bug. Signed-off-by: Oren Laadan <orenl@cs.columbia.edu> Cc: Oleg Nesterov <oleg@tv-sign.ru> Cc: Roland McGrath <roland@redhat.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org> [PATCH] setpgid: should work for sub-threads 2006-01-09T04:14:01Z Oleg Nesterov oleg@tv-sign.ru 2006-01-08T09:03:53Z urn:sha1:ee0acf90d320c29916ba8c5c1b2e908d81f5057d setpgid(0, pgid) or setpgid(forked_child_pid, pgid) does not work unless the calling process is a thread_group_leader(). 'man setpgid' does not tell anything about that, so I consider this behaviour is a bug. Signed-off-by: Oleg Nesterov <oleg@tv-sign.ru> Cc: Oren Laadan <orenl@cs.columbia.edu> Cc: Roland McGrath <roland@redhat.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>