| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 30 Jan 2012 08:17:29 -0800
From: Andy Lutomirski <luto@...capital.net>
To: Will Drewry <wad@...omium.org>, linux-kernel@...r.kernel.org
Cc: Casey Schaufler <casey@...aufler-ca.com>,
Linus Torvalds <torvalds@...ux-foundation.org>,
Jamie Lokier <jamie@...reable.org>, keescook@...omium.org,
john.johansen@...onical.com, serge.hallyn@...onical.com,
coreyb@...ux.vnet.ibm.com, pmoore@...hat.com, eparis@...hat.com,
djm@...drot.org, segoon@...nwall.com, rostedt@...dmis.org,
jmorris@...ei.org, scarybeasts@...il.com, avi@...hat.com,
penberg@...helsinki.fi, viro@...iv.linux.org.uk, mingo@...e.hu,
akpm@...ux-foundation.org, khilman@...com, borislav.petkov@....com,
amwang@...hat.com, oleg@...hat.com, ak@...ux.intel.com,
eric.dumazet@...il.com, gregkh@...e.de, dhowells@...hat.com,
daniel.lezcano@...e.fr, linux-fsdevel@...r.kernel.org,
linux-security-module@...r.kernel.org, olofj@...omium.org,
mhalcrow@...gle.com, dlaor@...hat.com, corbet@....net,
alan@...rguk.ukuu.org.uk, Al Viro <viro@...IV.linux.org.uk>,
Andy Lutomirski <luto@...capital.net>
Subject: [PATCH v3 4/4] Allow unprivileged chroot when safe
Chroot can easily be used to subvert setuid programs. If no_new_privs,
then setuid programs don't gain any privilege, so allow chroot.
Because chroot is an easy way to break out of chroot jail, CAP_SYS_ADMIN
is still required if the caller is already chrooted.
Signed-off-by: Andy Lutomirski <luto@...capital.net>
---
fs/open.c | 46 ++++++++++++++++++++++++++++++++++++++++++++--
1 files changed, 44 insertions(+), 2 deletions(-)
diff --git a/fs/open.c b/fs/open.c
index 77becc0..2e2887a 100644
--- a/fs/open.c
+++ b/fs/open.c
@@ -418,10 +418,39 @@ out:
return error;
}
+static bool is_chrooted(struct fs_struct *fs)
+{
+ bool ret;
+
+ /*
+ * This is equivalent to checking whether "/.." is the same
+ * directory as "/", where the ".." part ignores the current
+ * root. This logic is the same as follow_dotdot except that we
+ * ignore fs->root and we don't need to follow the final
+ * mountpoint we end up on.
+ */
+ struct path path = fs->root;
+ path_get(&path);
+ while (true) {
+ if (path.dentry != path.mnt->mnt_root) {
+ ret = true; /* .. moves up within a vfsmount. */
+ break;
+ }
+
+ if (!follow_up(&path)) {
+ ret = false; /* We've hit the real root. */
+ break;
+ }
+ }
+ path_put(&path);
+ return ret;
+}
+
SYSCALL_DEFINE1(chroot, const char __user *, filename)
{
struct path path;
int error;
+ struct fs_struct *fs = current->fs;
error = user_path_dir(filename, &path);
if (error)
@@ -432,13 +461,26 @@ SYSCALL_DEFINE1(chroot, const char __user *, filename)
goto dput_and_out;
error = -EPERM;
- if (!capable(CAP_SYS_CHROOT))
+ /*
+ * Chroot is dangerous unless no_new_privs is set, and we also
+ * don't want to allow unprivileged users to break out of chroot
+ * jail with another chroot call.
+ *
+ * We therefore allow chroot under one of two circumstances:
+ * a) no_new_privs (so setuid and similar programs can't be
+ * exploited), fs not shared (to avoid bypassing no_new_privs),
+ * and not already chrooted (so there's no chroot jail to break
+ * out of)
+ * b) CAP_SYS_CHROOT
+ */
+ if (!(current->no_new_privs && fs->users == 1 && !is_chrooted(fs)) &&
+ !capable(CAP_SYS_CHROOT))
goto dput_and_out;
error = security_path_chroot(&path);
if (error)
goto dput_and_out;
- set_fs_root(current->fs, &path);
+ set_fs_root(fs, &path);
error = 0;
dput_and_out:
path_put(&path);
--
1.7.7.6
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists