RE: [PATCH 2/2] fs: Harden against open(..., O_CREAT, 02777) in a setgid directory

[PATCH 0/2] setgid hardening · Andy Lutomirski <luto@kernel.org> · 2017-01-25
[PATCH 1/2] fs: Check f_cred instead of current's creds in should_remove_suid() · Andy Lutomirski <luto@kernel.org> · 2017-01-25
Re: [PATCH 1/2] fs: Check f_cred instead of current's creds in should_remove_suid() · Ben Hutchings <hidden> · 2017-01-25
Re: [PATCH 1/2] fs: Check f_cred instead of current's creds in should_remove_suid() · Andy Lutomirski <luto@amacapital.net> · 2017-01-25
RE: [PATCH 1/2] fs: Check f_cred instead of current's creds in should_remove_suid() · Frank Filz <hidden> · 2017-01-25
Re: [PATCH 1/2] fs: Check f_cred instead of current's creds in should_remove_suid() · Kees Cook <hidden> · 2017-01-26
[PATCH 2/2] fs: Harden against open(..., O_CREAT, 02777) in a setgid directory · Andy Lutomirski <luto@kernel.org> · 2017-01-25
Re: [PATCH 2/2] fs: Harden against open(..., O_CREAT, 02777) in a setgid directory · Ben Hutchings <hidden> · 2017-01-25
Re: [PATCH 2/2] fs: Harden against open(..., O_CREAT, 02777) in a setgid directory · Andy Lutomirski <luto@amacapital.net> · 2017-01-25
RE: [PATCH 2/2] fs: Harden against open(..., O_CREAT, 02777) in a setgid directory · Frank Filz <hidden> · 2017-01-25
Re: [PATCH 2/2] fs: Harden against open(..., O_CREAT, 02777) in a setgid directory · Willy Tarreau <w@1wt.eu> · 2017-01-25
Re: [PATCH 0/2] setgid hardening · Willy Tarreau <w@1wt.eu> · 2017-01-25

From: Frank Filz <hidden>
Date: 2017-01-25 23:17:16
Also in: linux-fsdevel, lkml

Currently, if you open("foo", O_WRONLY | O_CREAT | ..., 02777) in a
directory that is setgid and owned by a different gid than current's

fsgid, you

end up with an SGID executable that is owned by the directory's GID.  This

is

a Bad Thing (tm).  Exploiting this is nontrivial because most ways of

creating a

new file create an empty file and empty executables aren't particularly
interesting, but this is nevertheless quite dangerous.

Harden against this type of attack by detecting this particular corner

case

(unprivileged program creates SGID executable inode in SGID directory
owned by a different GID) and clearing the new inode's SGID bit.

Nasty.

I'd love to see a test for this in xfstests and/or pjdfstests...

Frank


---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus

--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org.  For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help