Received: by 10.36.78.7 with HTTP; Wed, 24 Jun 2015 15:06:21 -0700 (PDT)
Date: Wed, 24 Jun 2015 15:06:21 -0700
Subject: Re: Group man to group root privilege escalation
From: Linus Torvalds
To: Andy Lutomirski
Cc: "security at kernel.org", halfdog, Kees Cook, Al Viro
Content-Type: multipart/mixed; boundary=047d7b3a9c1295186505194ab7e3

--047d7b3a9c1295186505194ab7e3
Content-Type: text/plain; charset=UTF-8

On Wed, Jun 24, 2015 at 2:45 PM, Linus Torvalds wrote:
>
> Ahh, yes. Ok, I agree, we should probably do both - use f_cred for the
> suid removal check, *and* make sure that group-sticky directories
> clear the sgid bit on file creation.

Maybe something fairly simple like this for the SGID case?

                    Linus

--047d7b3a9c1295186505194ab7e3
Content-Type: text/plain; charset=US-ASCII; name="patch.diff"
Content-Disposition: attachment; filename="patch.diff"
Content-Transfer-Encoding: base64
X-Attachment-Id: f_ibbb8b9f0

IGZzL2lub2RlLmMgfCAyICsrCiAxIGZpbGUgY2hhbmdlZCwgMiBpbnNlcnRpb25zKCspCgpkaWZm
IC0tZ2l0IGEvZnMvaW5vZGUuYyBiL2ZzL2lub2RlLmMKaW5kZXggZThkNjI2ODhlZDkxLi43YmRl
MGFkNjczZTQgMTAwNjQ0Ci0tLSBhL2ZzL2lub2RlLmMKKysrIGIvZnMvaW5vZGUuYwpAQCAtMTg5
OCw2ICsxODk4LDggQEAgdm9pZCBpbm9kZV9pbml0X293bmVyKHN0cnVjdCBpbm9kZSAqaW5vZGUs
IGNvbnN0IHN0cnVjdCBpbm9kZSAqZGlyLAogCQlpbm9kZS0+aV9naWQgPSBkaXItPmlfZ2lkOwog
CQlpZiAoU19JU0RJUihtb2RlKSkKIAkJCW1vZGUgfD0gU19JU0dJRDsKKwkJZWxzZSBpZiAoKG1v
ZGUgJiAoU19JU0dJRCB8IFNfSVhHUlApKSA9PSAoU19JU0dJRCB8IFNfSVhHUlApKQorCQkJbW9k
ZSAmPSB+U19JU0dJRDsKIAl9IGVsc2UKIAkJaW5vZGUtPmlfZ2lkID0gY3VycmVudF9mc2dpZCgp
OwogCWlub2RlLT5pX21vZGUgPSBtb2RlOwo=
--047d7b3a9c1295186505194ab7e3--