lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <0707E37B6D2E244C85660487B602C9221D9D9846@ex02.briontech.com>
Date:	Tue, 10 Jun 2008 15:05:11 -0700
From:	Luoqi Chen <Luoqi.Chen@...on.com>
To:	"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: NFS open/setuid/ftruncate problem

Hi,

I've recently encountered a problem which could be a bug in the nfs implementation.
It could be illustrated with the following small program,

#include <fcntl.h>
#include <unistd.h>

main()
{
        int fd;

        fd = open("abc", O_WRONLY | O_CREAT, 0644);
        if (fd < 0) {
                perror("open");
                exit(-1);
        }

        write(fd, "test\n", 5);

        setuid(65534);

        if (ftruncate(fd, 3) < 0)
                perror("ftruncate");

        close(fd);
}

Compile and run it as root on an NFS mount without root squash, ftruncate() would
return an EACCESS error. On a local disk, it would complete successfully, leaving
behind a file "abc" with the string "tes". It would also be successful on NFS
if you change the mode from 0644 to 0666 (make sure to set your umask to 0).

I'm not familiar with linux nfs code, but it seems to me that the nfs code does
an additional access mode check in ftruncate/setattr, which is not done on a local
fs. I've checked on freebsd, the program works fine on both local and nfs.

Could someone more familiar with the nfs code take a look? I'm running 2.6.9-42.Elsmp
64-bit, nfsv3 mount. For nfs server, I've tried linux/freebsd and a commercial one
with a proprietary OS.

Thanks
-luoqi

PS: I'm not a subscriber of the linux kernel mailing list, I'd appreciate if any
response could be send to me directly.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ