SafeSetID LSM should be built but disabled by default
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Fix Released
|
Medium
|
Tyler Hicks |
Bug Description
The SafeSetID LSM is unlikely to be useful, by default, for a general purpose OS but a system integrator may want to make use of it in certain cases. We should build SafeSetID but not enable it by default in Ubuntu. The LSM can be put to use using the lsm= kernel boot parameter. For example, lsm=capability,
You can verify that it is enabled by reading the lsm file in securityfs:
$ cat /sys/kernel/
capability,
Documentation on configuring SafeSetID can be found here:
https:/
CVE References
Changed in linux (Ubuntu): | |
status: | In Progress → Fix Committed |
A pull request for 5.4 included a fix to make SafeSetID useful due to a bug in 5.3. Details can be read here:
https:/ /git.kernel. org/pub/ scm/linux/ kernel/ git/torvalds/ linux.git/ commit/ ?id=1b5fb415442 eb3ec946d48afe8 c87b0f2fd42d7c
The needed commit is located here:
https:/ /git.kernel. org/pub/ scm/linux/ kernel/ git/torvalds/ linux.git/ commit/ ?id=21ab8580b38 3f27b7f59b84ac1 699cb26d6c3d69