Linux Kernel 2.2.16 Released - Fixes Security Hole

Sendmail.net has posted a warning that Linux kernels up to and including 2.2.15 have a serious security exploit that could allow users to gain root access via the setcap(2) call. Apparently this feature goes undocumented in many Linux-based systems, and allows users to break down root access permissions into a series of capabilities, which then allows them to exploit the security hole.

An example posted on sendmail.net is as follows:

One such capability is the ability of a process to do an arbitrary setuid(2) call. As documented in ISO/IEC 9945-1 (ANSI/IEEE Std 1003.1) POSIX Part 1:

4.2.2.2 Description
...
If {_POSIX_SAVED_IDS} is defined:

(1) If the process has appropriate privileges, the setuid() function sets the real user ID, effective user ID, and the saved set-user-ID to uid.

(2) If the process does not have the appropriate privileges, but uid is equal to the real user ID or the saved set-user-ID, the setuid() function sets the effective user ID to uid; the real user ID and saved set-user-ID remain unchanged by this function call.

The CAP_SETUID capability represents the "appropriate privileges."

Sendmail.net further explains the exploit on its Web site. You can download the patch here or the full source code here. The release notes can be read at linux.org.