Vulmon
<!--X-Body-Begin-->
<!--X-User-Header-->
oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->
By Date
By Thread
</form>
<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
Re: CVE-2021-44731: Race condition in snap-confine's setup_private_mount()
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->
From: Simon McVittie <smcv () debian org>
Date: Wed, 23 Feb 2022 11:33:04 +0000
<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
On Wed, 23 Feb 2022 at 08:54:49 +0100, Wire Snark wrote:
Why it isn't possible to copy the snap-confine binary into a directory
for the same effect -- instead of hardlinking it?
If you copy a file you don't own, then the copy is owned by you, and has
permissions controlled by you: in particular, if you're not root, then the
copy can't be setuid root.
If you hard-link a file you don't own (which some kernel configurations
don't allow), then that filename points to the same inode as the original
filename, so it has the same ownership and permissions as the original file
(and in particular it's still setuid root).
smcv
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
By Date
By Thread
Current thread:
CVE-2021-44731: Race condition in snap-confine's setup_private_mount() Qualys Security Advisory (Feb 17)
Re: CVE-2021-44731: Race condition in snap-confine's setup_private_mount() Wire Snark (Feb 23)
Re: CVE-2021-44731: Race condition in snap-confine's setup_private_mount() Simon McVittie (Feb 23)
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->