On 12/4/25 06:49, Al Viro wrote:
On Wed, Dec 03, 2025 at 02:16:29PM +0100, Bernd Edlinger wrote:
Hmm, yes, that looks like an issue.
I would have expected the security engine to look at bprm->filenanme especially in the case, when bprm->interp != bprm->filename, and check that it is not a sym-link with write-access for the current user and of course also that the bprm->file is not a regular file which is writable by the current user, if that is the case I would have expected the secuity engine to enforce non-new-privs on a SUID executable somehow.
Check that _what_ is not a symlink? And while we are at it, what do write permissions to any symlinks have to do with anything whatsoever?
When we execve a normal executable, we do open the binary file with deny_write_access so this might allow the security engine to inspaect the binary, before it is used. However this behavior has changed recently, now it has some exceptions, where even this behavior is no longer guaranteed for binary executables, due to commit 0357ef03c94ef835bd44a0658b8edb672a9dbf51, but why? I have no idea...
But with shell scripts an attack is possible, where a sym-link is executed, and the SUID bit of the target file is used but a race condition might allow the attacker to replace the script that is used by the shell:
Consider this:
ln -s /usr/bin/legitimate-suid-sctipt.sh where legitimate-suid-sctipt.sh starts with "#! /bin/bash -"
and the attack works this way: ./legitmate-suid-script.sh & ln -f -s do-what-i-want.sh legitimate-suid-script.sh
Bernd.