lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:	Mon, 07 Oct 2013 15:58:26 -0400 (EDT)
From:	David Miller <davem@...emloft.net>
To:	ebiederm@...ssion.com
Cc:	sandeen@...hat.com, akpm@...ux-foundation.org, security@...nel.org,
	pmatouse@...hat.com, netdev@...r.kernel.org, keescook@...gle.com
Subject: Re: [PATCH] net: Update the sysctl permissions handler to test
 effective uid/gid

From: ebiederm@...ssion.com (Eric W. Biederman)
Date: Sat, 05 Oct 2013 13:15:30 -0700

> 
> On Tue, 20 Aug 2013 11:40:04 -0500 Eric Sandeen <sandeen@...hat.com> wrote:
>> This was brought up in a Red Hat bug (which may be marked private, I'm sorry):
>>
>> Bug 987055 - open O_WRONLY succeeds on some root owned files in /proc for process running with unprivileged EUID
>>
>> "On RHEL7 some of the files in /proc can be opened for writing by an unprivileged EUID."
>>
>> The flaw existed upstream as well last I checked.
>>
>> This commit in kernel v3.8 caused the regression:
>>
>> commit cff109768b2d9c03095848f4cd4b0754117262aa
>> Author: Eric W. Biederman <ebiederm@...ssion.com>
>> Date:   Fri Nov 16 03:03:01 2012 +0000
>>
>>     net: Update the per network namespace sysctls to be available to the network namespace owner
>>
>>     - Allow anyone with CAP_NET_ADMIN rights in the user namespace of the
>>       the netowrk namespace to change sysctls.
>>     - Allow anyone the uid of the user namespace root the same
>>       permissions over the network namespace sysctls as the global root.
>>     - Allow anyone with gid of the user namespace root group the same
>>       permissions over the network namespace sysctl as the global root group.
>>
>>     Signed-off-by: "Eric W. Biederman" <ebiederm@...ssion.com>
>>     Signed-off-by: David S. Miller <davem@...emloft.net>
>>
>> because it changed /sys/net's special permission handler to test current_uid, not
>> current_euid; same for current_gid/current_egid.
>>
>> So in this case, root cannot drop privs via set[ug]id, and retains all privs
>> in this codepath.
> 
> Modify the code to use current_euid(), and in_egroup_p, as in done
> in fs/proc/proc_sysctl.c:test_perm()
> 
> Cc: stable@...r.kernel.org
> Reviewed-by: Eric Sandeen <sandeen@...hat.com>
> Reported-by: Eric Sandeen <sandeen@...hat.com>
> Signed-off-by: "Eric W. Biederman" <ebiederm@...ssion.com>

Applied and queued up for -stable, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ