| Message ID | 826ec4aab64ec304944098d15209f8c1ae65bb29.1485377903.git.luto@kernel.org (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
On Wed, 2017-01-25 at 13:06 -0800, Andy Lutomirski wrote: > Currently, if you open("foo", O_WRONLY | O_CREAT | ..., 02777) in a > directory that is setgid and owned by a different gid than current's > fsgid, you end up with an SGID executable that is owned by the > directory's GID. This is a Bad Thing (tm). Exploiting this is > nontrivial because most ways of creating a new file create an empty > file and empty executables aren't particularly interesting, but this > is nevertheless quite dangerous. > > Harden against this type of attack by detecting this particular > corner case (unprivileged program creates SGID executable inode in > SGID directory owned by a different GID) and clearing the new > inode's SGID bit. > > > Signed-off-by: Andy Lutomirski <luto@kernel.org> > --- > fs/inode.c | 21 +++++++++++++++++++-- > 1 file changed, 19 insertions(+), 2 deletions(-) > > diff --git a/fs/inode.c b/fs/inode.c > index f7029c40cfbd..d7e4b80470dd 100644 > --- a/fs/inode.c > +++ b/fs/inode.c > @@ -2007,11 +2007,28 @@ void inode_init_owner(struct inode *inode, const struct inode *dir, > { > inode->i_uid = current_fsuid(); > if (dir && dir->i_mode & S_ISGID) { > + bool changing_gid = !gid_eq(inode->i_gid, dir->i_gid); [...] inode->i_gid hasn't been initialised yet. This should compare with current_fsgid(), shouldn't it? Ben.
On Wed, Jan 25, 2017 at 1:31 PM, Ben Hutchings <ben@decadent.org.uk> wrote: > On Wed, 2017-01-25 at 13:06 -0800, Andy Lutomirski wrote: >> Currently, if you open("foo", O_WRONLY | O_CREAT | ..., 02777) in a >> directory that is setgid and owned by a different gid than current's >> fsgid, you end up with an SGID executable that is owned by the >> directory's GID. This is a Bad Thing (tm). Exploiting this is >> nontrivial because most ways of creating a new file create an empty >> file and empty executables aren't particularly interesting, but this >> is nevertheless quite dangerous. >> >> Harden against this type of attack by detecting this particular >> corner case (unprivileged program creates SGID executable inode in >> SGID directory owned by a different GID) and clearing the new >> inode's SGID bit. >> >> > Signed-off-by: Andy Lutomirski <luto@kernel.org> >> --- >> fs/inode.c | 21 +++++++++++++++++++-- >> 1 file changed, 19 insertions(+), 2 deletions(-) >> >> diff --git a/fs/inode.c b/fs/inode.c >> index f7029c40cfbd..d7e4b80470dd 100644 >> --- a/fs/inode.c >> +++ b/fs/inode.c >> @@ -2007,11 +2007,28 @@ void inode_init_owner(struct inode *inode, const struct inode *dir, >> { >> inode->i_uid = current_fsuid(); >> if (dir && dir->i_mode & S_ISGID) { >> + bool changing_gid = !gid_eq(inode->i_gid, dir->i_gid); > [...] > > inode->i_gid hasn't been initialised yet. This should compare with > current_fsgid(), shouldn't it? Whoops. In v2, I'll fix it by inode->i_gid first -- that'll simplify the control flow. > > Ben. > > -- > Ben Hutchings > It is easier to write an incorrect program than to understand a correct > one. >
> Currently, if you open("foo", O_WRONLY | O_CREAT | ..., 02777) in a > directory that is setgid and owned by a different gid than current's fsgid, you > end up with an SGID executable that is owned by the directory's GID. This is > a Bad Thing (tm). Exploiting this is nontrivial because most ways of creating a > new file create an empty file and empty executables aren't particularly > interesting, but this is nevertheless quite dangerous. > > Harden against this type of attack by detecting this particular corner case > (unprivileged program creates SGID executable inode in SGID directory > owned by a different GID) and clearing the new inode's SGID bit. Nasty. I'd love to see a test for this in xfstests and/or pjdfstests... Frank --- This email has been checked for viruses by Avast antivirus software. https://www.avast.com/antivirus -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Wed, Jan 25, 2017 at 01:06:52PM -0800, Andy Lutomirski wrote: > Currently, if you open("foo", O_WRONLY | O_CREAT | ..., 02777) in a > directory that is setgid and owned by a different gid than current's > fsgid, you end up with an SGID executable that is owned by the > directory's GID. This is a Bad Thing (tm). Exploiting this is > nontrivial because most ways of creating a new file create an empty > file and empty executables aren't particularly interesting, but this > is nevertheless quite dangerous. > > Harden against this type of attack by detecting this particular > corner case (unprivileged program creates SGID executable inode in > SGID directory owned by a different GID) and clearing the new > inode's SGID bit. > > Signed-off-by: Andy Lutomirski <luto@kernel.org> > --- > fs/inode.c | 21 +++++++++++++++++++-- > 1 file changed, 19 insertions(+), 2 deletions(-) > > diff --git a/fs/inode.c b/fs/inode.c > index f7029c40cfbd..d7e4b80470dd 100644 > --- a/fs/inode.c > +++ b/fs/inode.c > @@ -2007,11 +2007,28 @@ void inode_init_owner(struct inode *inode, const struct inode *dir, > { > inode->i_uid = current_fsuid(); > if (dir && dir->i_mode & S_ISGID) { > + bool changing_gid = !gid_eq(inode->i_gid, dir->i_gid); > + > inode->i_gid = dir->i_gid; > - if (S_ISDIR(mode)) > + if (S_ISDIR(mode)) { > mode |= S_ISGID; > - } else > + } else if (((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) > + && S_ISREG(mode) && changing_gid > + && !capable(CAP_FSETID)) { > + /* > + * Whoa there! An unprivileged program just > + * tried to create a new executable with SGID > + * set in a directory with SGID set that belongs > + * to a different group. Don't let this program > + * create a SGID executable that ends up owned > + * by the wrong group. > + */ > + mode &= ~S_ISGID; > + } > + > + } else { > inode->i_gid = current_fsgid(); > + } > inode->i_mode = mode; > } It seems to me like you're leaving inode->i_gid uninitialized when you take the Woah branch here. Or at least it's not obvious to me. I'd rather adjust it like this to make it easier to read (patched edited by hand, sorry for the bad formating) and it also covers the case where the gid_eq() check was apparently performed on something uninitialized : { inode->i_uid = current_fsuid(); + inode->i_gid = current_fsgid(); if (dir && dir->i_mode & S_ISGID) { + bool changing_gid = !gid_eq(inode->i_gid, dir->i_gid); + inode->i_gid = dir->i_gid; - if (S_ISDIR(mode)) + if (S_ISDIR(mode)) { mode |= S_ISGID; - } else + } else if (((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) + && S_ISREG(mode) && changing_gid + && !capable(CAP_FSETID)) { + /* + * Whoa there! An unprivileged program just + * tried to create a new executable with SGID + * set in a directory with SGID set that belongs + * to a different group. Don't let this program + * create a SGID executable that ends up owned + * by the wrong group. + */ + mode &= ~S_ISGID; + } + } inode->i_mode = mode; } Please ignore all this if I missed something. Willy -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/fs/inode.c b/fs/inode.c index f7029c40cfbd..d7e4b80470dd 100644 --- a/fs/inode.c +++ b/fs/inode.c @@ -2007,11 +2007,28 @@ void inode_init_owner(struct inode *inode, const struct inode *dir, { inode->i_uid = current_fsuid(); if (dir && dir->i_mode & S_ISGID) { + bool changing_gid = !gid_eq(inode->i_gid, dir->i_gid); + inode->i_gid = dir->i_gid; - if (S_ISDIR(mode)) + if (S_ISDIR(mode)) { mode |= S_ISGID; - } else + } else if (((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) + && S_ISREG(mode) && changing_gid + && !capable(CAP_FSETID)) { + /* + * Whoa there! An unprivileged program just + * tried to create a new executable with SGID + * set in a directory with SGID set that belongs + * to a different group. Don't let this program + * create a SGID executable that ends up owned + * by the wrong group. + */ + mode &= ~S_ISGID; + } + + } else { inode->i_gid = current_fsgid(); + } inode->i_mode = mode; } EXPORT_SYMBOL(inode_init_owner);
Currently, if you open("foo", O_WRONLY | O_CREAT | ..., 02777) in a directory that is setgid and owned by a different gid than current's fsgid, you end up with an SGID executable that is owned by the directory's GID. This is a Bad Thing (tm). Exploiting this is nontrivial because most ways of creating a new file create an empty file and empty executables aren't particularly interesting, but this is nevertheless quite dangerous. Harden against this type of attack by detecting this particular corner case (unprivileged program creates SGID executable inode in SGID directory owned by a different GID) and clearing the new inode's SGID bit. Signed-off-by: Andy Lutomirski <luto@kernel.org> --- fs/inode.c | 21 +++++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-)