On 10/31, Daniel Colascione wrote: > > > perhaps it would be simpler to do > > > > my_cred = override_creds(file->f_cred); > > kill_pid(...); > > revert_creds(my_cred); > > Thanks for the suggestion. That looks neat, but it's not quite enough. > The problem is that check_kill_permission looks for > same_thread_group(current, t) _before_ checking kill_of_by_cred,
Yes, you are right. Looks like kill_pid_info_as_cred() can find another user, but probably it needs some changes with or without /proc/pid/kill ... > There's another problem though: say we open /proc/pid/5/kill *, with > proc 5 being an ordinary unprivileged process, e.g., the shell. At > open(2) time, the access check passes. Now suppose PID 5 execve(2)s > into a setuid process. The kill FD is still open, so the kill FD's > holder can send a signal Confused... why? kill_ok_by_cred() should fail? Oleg.