lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20130704134113.dd7b366a45fcdc00f001dba8@jp.fujitsu.com>
Date:	Thu, 4 Jul 2013 13:41:13 +0900
From:	Toshiyuki Okajima <toshi.okajima@...fujitsu.com>
To:	<linux-kernel@...r.kernel.org>
CC:	<toshi.okajima@...fujitsu.com>
Subject: [BUG] Failed to open a file after setgid

Hi guys!

I encountered that a file cannot be opened even if the process has a valid 
access authority for the file on linux-3.10. 

This problem is caused since the group list which getgroups() returns includes 
wrong ID as the group ID after setgid(). These groups include egid of the process 
before calling setgid().

Since man 3p getgroups says as follows, including egid of process itself is
no problem.

======
The getgroups() function shall fill in the array grouplist with the current
supplementary group IDs of  the  calling  process.  It  is implementation-defined
whether getgroups() also returns the effective group ID in the grouplist array.
======

However, it should be the current egid after setgid() instead of the past egid.
So, I consider this behavior is a bug. How do you think?

Here is the step to reproduce:
////////////////////////////////////////////////////////////////////////////////
1. Create a file and set its file access permission/attribute as follows:
 # touch /dummy
 # chmod 505 /dummy
 # chown 0:0 /dummy
 # ls -lnd /
 drwxrwxrwx. 29 0 0 4096 Jul  4 11:46 /
 # ls -ln /dummy
 -r-x---r-x 1 0 0 0 Jul  4 11:46 /dummy
 # id
 uid=0(root) gid=0(root) groups=0(root),3(sys),4(adm),10(wheel)
 # su - tmpuser
 $ id
 uid=1000(tmpuser) gid=100(users) groups=100(users),99(nobody)

2. Run the following program as the privileged user (root)
  # cd /tmp
  # cat source_ng.c
---------------------------------------------------------------------------
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <stdio.h>
#include <string.h>
#include <errno.h>
int main(void)
{
        int gid = setgid(100);
        int uid = setuid(1000);
        int fd;
        int groups;
        int i;
        gid_t gids[10];

        groups = getgroups(10, gids);
        for (i = 0; i < groups; i++)
                printf("[group %d] %d\n", i, gids[i]);
        fd = open("/dummy", O_RDONLY);
        if (fd < 0) {
                fprintf(stderr, "open: %s(%d)\n", strerror(errno), errno);
                return 1;
        }
        return 0;
}
  ---------------------------------------------------------------------------
  # make source_ng
  # /tmp/source_ng

  Additional information: 
    The program terminates successfully when tmpuser runs it directly. 
  # su - tmpuser
  $ /tmp/source_ng
  $ echo $?
  0  
////////////////////////////////////////////////////////////////////////////////

This problem happens since root group (0) is still included in the group list
which getgroups() returns. Then, the process is regarded as belonging to these 
groups and prohibited to access to the file.

Expected Result:
This program returns without any errors.
(getgroups() returns the group list including the primary group of the current 
user but not the one of the past user after setgid()) 
  # /tmp/source_ng
  [group 0] 100	
  [group 1] 3                   
  [group 2] 4
  [group 3] 10

Actual Result:
This program returns with error (EACCES).
(getgroups() returns the group list including the primary group of the past
user but not the one of the current user after setgid()) 
  # /tmp/source_ng
  [group 0] 0	// I expect the value is the current egid but not the past egid.
  [group 1] 3                   
  [group 2] 4
  [group 3] 10
  open: Permission denied(13)

Or, setgid() has not a bug but the parameter which the pam library and 
so on give setgroups() including the primary group is wrong? 

Thanks,
toshi.okajima
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ