lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <cover.1499805484.git.ernesto.mnd.fernandez@gmail.com>
Date:   Wed, 12 Jul 2017 06:53:22 -0300
From:   Ernesto A. Fernández 
        <ernesto.mnd.fernandez@...il.com>
To:     Jan Kara <jack@...e.com>, Theodore Ts'o <tytso@....edu>,
        Andreas Dilger <adilger.kernel@...ger.ca>,
        Dave Kleikamp <shaggy@...nel.org>, linux-ext4@...r.kernel.org,
        jfs-discussion@...ts.sourceforge.net,
        reiserfs-devel@...r.kernel.org
Subject: [PATCH 0/5] Failure to set acl may alter group permissions

When changing a file's acl mask, the function that sets the access control
list (ext2_set_acl(), __ext4_set_acl(), __jfs_set_acl()...) will first set
the group permission bits of the file to the value of the mask (by calling
posix_acl_update_mode()), and only then set the actual extended attribute
representing the new acl.

The problem is, none of these functions try to restore the original
permission bits if the second part fails. If this happens to a file that
had no acl attributes to begin with, the system will from now on assume
that the mask permission bits are actual group permission bits,
potentially granting access to the wrong users.

If your working directory is on a filesystem mounted with extended user
attributes (and acl of course), this script will trigger the issue by
filling the drive:


touch test.file
chmod go-rwx test.file
yes xxxxxxxxxx > test.file
i=1
while setfattr -n user.$i test.file; do
  ((++i))
done
setfacl -m m:r test.file


By the time the script returns, the group that owns test.file may have read
permissions that were never granted. This happens reliably on at least
ext2, ext4, jfs and reiserfs.

I will follow this mail with patch drafts for those filesystems. I believe
most filesystems that support acl will need a patch, but perhaps it's best
if I share what I have so far.

Thank you for your attention.

Ernesto A. Fernández (5):
  ext4: preserve i_mode if __ext4_set_acl() fails
  ext2: preserve i_mode if ext2_set_acl() fails
  ext2: fix line over 80 characters in ext2_set_acl()
  jfs: preserve i_mode if __jfs_set_acl() fails
  reiserfs: preserve i_mode if __reiserfs_set_acl() fails

 fs/ext2/acl.c           | 25 ++++++++++++++++---------
 fs/ext4/acl.c           | 15 +++++++++++----
 fs/jfs/acl.c            | 15 +++++++++++----
 fs/reiserfs/xattr.c     |  4 ++++
 fs/reiserfs/xattr_acl.c | 25 +++++++++----------------
 5 files changed, 51 insertions(+), 33 deletions(-)

-- 
2.1.4

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ