| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 4 Jul 2013 13:41:13 +0900
From: Toshiyuki Okajima <toshi.okajima@...fujitsu.com>
To: <linux-kernel@...r.kernel.org>
CC: <toshi.okajima@...fujitsu.com>
Subject: [BUG] Failed to open a file after setgid
Hi guys!
I encountered that a file cannot be opened even if the process has a valid
access authority for the file on linux-3.10.
This problem is caused since the group list which getgroups() returns includes
wrong ID as the group ID after setgid(). These groups include egid of the process
before calling setgid().
Since man 3p getgroups says as follows, including egid of process itself is
no problem.
======
The getgroups() function shall fill in the array grouplist with the current
supplementary group IDs of the calling process. It is implementation-defined
whether getgroups() also returns the effective group ID in the grouplist array.
======
However, it should be the current egid after setgid() instead of the past egid.
So, I consider this behavior is a bug. How do you think?
Here is the step to reproduce:
////////////////////////////////////////////////////////////////////////////////
1. Create a file and set its file access permission/attribute as follows:
# touch /dummy
# chmod 505 /dummy
# chown 0:0 /dummy
# ls -lnd /
drwxrwxrwx. 29 0 0 4096 Jul 4 11:46 /
# ls -ln /dummy
-r-x---r-x 1 0 0 0 Jul 4 11:46 /dummy
# id
uid=0(root) gid=0(root) groups=0(root),3(sys),4(adm),10(wheel)
# su - tmpuser
$ id
uid=1000(tmpuser) gid=100(users) groups=100(users),99(nobody)
2. Run the following program as the privileged user (root)
# cd /tmp
# cat source_ng.c
---------------------------------------------------------------------------
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <stdio.h>
#include <string.h>
#include <errno.h>
int main(void)
{
int gid = setgid(100);
int uid = setuid(1000);
int fd;
int groups;
int i;
gid_t gids[10];
groups = getgroups(10, gids);
for (i = 0; i < groups; i++)
printf("[group %d] %d\n", i, gids[i]);
fd = open("/dummy", O_RDONLY);
if (fd < 0) {
fprintf(stderr, "open: %s(%d)\n", strerror(errno), errno);
return 1;
}
return 0;
}
---------------------------------------------------------------------------
# make source_ng
# /tmp/source_ng
Additional information:
The program terminates successfully when tmpuser runs it directly.
# su - tmpuser
$ /tmp/source_ng
$ echo $?
0
////////////////////////////////////////////////////////////////////////////////
This problem happens since root group (0) is still included in the group list
which getgroups() returns. Then, the process is regarded as belonging to these
groups and prohibited to access to the file.
Expected Result:
This program returns without any errors.
(getgroups() returns the group list including the primary group of the current
user but not the one of the past user after setgid())
# /tmp/source_ng
[group 0] 100
[group 1] 3
[group 2] 4
[group 3] 10
Actual Result:
This program returns with error (EACCES).
(getgroups() returns the group list including the primary group of the past
user but not the one of the current user after setgid())
# /tmp/source_ng
[group 0] 0 // I expect the value is the current egid but not the past egid.
[group 1] 3
[group 2] 4
[group 3] 10
open: Permission denied(13)
Or, setgid() has not a bug but the parameter which the pam library and
so on give setgroups() including the primary group is wrong?
Thanks,
toshi.okajima
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists