[<prev] [next>] [thread-next>] [month] [year] [list]
Date: Wed, 13 May 2009 17:05:38 +0800
From: Eugene Teo <eugene@...hat.com>
To: oss-security@...ts.openwall.com
CC: "Steven M. Christey" <coley@...us.mitre.org>
Subject: CVE request: kernel: problem with NFS v4 client handling of MAY_EXEC
in nfs_permission
Frank Filz reported: the problem is that permission checking is skipped
if atomic open is possible, but when exec opens a file, it just opens it
O_READONLY which means EXEC permission will not be checked at that time.
This problem is observed by the following sequence (executed as root):
mount -t nfs4 server:/ /mnt4
echo "ls" >/mnt4/foo
chmod 744 /mnt4/foo
su guest -c "mnt4/foo"
linux-2.6.29.3/fs/nfs/dir.c:
1928 int nfs_permission(struct inode *inode, int mask)
1929 {
[...]
1941 switch (inode->i_mode & S_IFMT) {
1942 case S_IFLNK:
1943 goto out;
1944 case S_IFREG:
1945 /* NFSv4 has atomic_open... */
1946 if (nfs_server_capable(inode, \
NFS_CAP_ATOMIC_OPEN)
1947 && (mask & MAY_OPEN))
We need to make sure that if mask & MAY_EXEC, we force a permission
check, otherwise the script can be executed even if guest has no +x
permission.
1948 goto out;
1949 break;
http://article.gmane.org/gmane.linux.nfs/26592
https://bugzilla.redhat.com/show_bug.cgi?id=500297
http://linux-nfs.org/pipermail/nfsv4/2006-November/005323.html
http://linux-nfs.org/pipermail/nfsv4/2006-November/005313.html
http://bugzilla.linux-nfs.org/show_bug.cgi?id=131
Thanks, Eugene
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Hosted by DataForce ISP -
Powered by Openwall GNU/*/Linux