From: Guido Trentalancia <guido@trentalancia.com>
To: dave w <nullcore@gmail.com>
Cc: selinux@tycho.nsa.gov
Subject: Re: [PATCH] policycoreutils: preserve mode bits and ownership of /tmp in seunshare
Date: Thu, 15 Sep 2011 22:07:36 +0200 [thread overview]
Message-ID: <1316117256.2202.104.camel@vortex> (raw)
In-Reply-To: <CAB04Hprsq9z4qYzO+pTOMYC41ma7d3J7+hrcQ04KSkOQnBEnBQ@mail.gmail.com>
Hello Dave.
On Thu, 2011-09-15 at 13:39 -0400, dave w wrote:
> Hi,
>
> This patch addresses a flaw in seunshare.c that allows unprivileged
> users to arbitrarily modify the contents of /tmp. This bug is further
> described in CVE 2011-1011
> (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1011):
seunshare should not be installed by default and, even if it still
needed to be installed by default, its setuid bit should be carefully
re-evaluated in my opinion.
In any case, good practice says nothing should ever be allowed to mount
under /tmp with suid/exec flags (use noexec,nosuid options in fstab).
That said, have you tested the patch already ? Is it effective ?
Thanks.
Guido
> The seunshare_mount function in sandbox/seunshare.c in seunshare in certain
> Red Hat packages of policycoreutils 2.0.83 and earlier in Red Hat
> Enterprise Linux (RHEL) 6 and earlier, and Fedora 14 and earlier, mounts a
> new directory on top of /tmp without assigning root ownership and the
> sticky bit to this new directory, which allows local users to replace or
> delete arbitrary /tmp files, and consequently cause a denial of service or
> possibly gain privileges, by running a setuid application that relies on
> /tmp, as demonstrated by the ksu application
>
> This patch preserves the mode bits, and thus permissions, and
> ownership of the destination directory of the bind mount performed by
> seunshare. The permission check in verify_mount() was relaxed for
> directories who originally had the sticky bit set, as root ownership
> is required for these to ensure that unprivileged users cannot unlink
> arbitrary files in the newly bind mounted directory.
>
> Thanks,
> David
>
>
>
> policycoreutils/sandbox/seunshare.c | 23 ++++++++++++++++++++++-
> 1 files changed, 22 insertions(+), 1 deletions(-)
>
> diff --git a/policycoreutils/sandbox/seunshare.c
> b/policycoreutils/sandbox/seunshare.c
> index f9bf12c..82b3cb9 100644
> --- a/policycoreutils/sandbox/seunshare.c
> +++ b/policycoreutils/sandbox/seunshare.c
> @@ -149,7 +149,9 @@ static int verify_mount(const char *mntdir, struct
> passwd *pwd) {
> fprintf(stderr, _("Invalid mount point %s: %s\n"), mntdir,
> strerror(errno));
> return -1;
> }
> - if (sb.st_uid != pwd->pw_uid) {
> +
> + /* Owners don't have to match if the sticky bit has been set. */
> + if (sb.st_uid != pwd->pw_uid && !(sb.st_mode && S_ISVTX)) {
> errno = EPERM;
> syslog(LOG_AUTHPRIV | LOG_ALERT, "%s attempted to mount an
> invalid directory, %s", pwd->pw_name, mntdir);
> perror(_("Invalid mount point, reporting to administrator"));
> @@ -245,8 +247,17 @@ static int verify_shell(const char *shell_name)
> }
>
> static int seunshare_mount(const char *src, const char *dst, struct
> passwd *pwd) {
> + struct stat buf;
> +
> if (verbose)
> printf("Mount %s on %s\n", src, dst);
> +
> + /* Preserve mode bits and ownership */
> + if (stat(dst, &buf) < 0) {
> + fprintf(stderr, _("Failed to stat %s: %s\n"), dst, strerror(errno));
> + return -1;
> + }
> +
> if (mount(dst, dst, NULL, MS_BIND | MS_REC, NULL) < 0) {
> fprintf(stderr, _("Failed to mount %s on %s: %s\n"), dst, dst,
> strerror(errno));
> return -1;
> @@ -262,6 +273,16 @@ static int seunshare_mount(const char *src, const
> char *dst, struct passwd *pwd)
> return -1;
> }
>
> + /* Restore original mode bits and ownership */
> + if (chmod(dst, buf.st_mode) < 0) {
> + fprintf(stderr, _("Failed to set permissions on %s: %s\n"),
> dst, strerror(errno));
> + return -1;
> + }
> + if (chown(dst, buf.st_uid, buf.st_gid) < 0) {
> + fprintf(stderr, _("Failed to set ownership on %s: %s\n"),
> dst, strerror(errno));
> + return -1;
> + }
> +
> if (verify_mount(dst, pwd) < 0)
> return -1;
> }
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2011-09-15 20:08 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-09-15 17:39 [PATCH] policycoreutils: preserve mode bits and ownership of /tmp in seunshare dave w
2011-09-15 20:07 ` Guido Trentalancia [this message]
2011-09-15 21:07 ` dave w
2011-09-16 5:42 ` Guido Trentalancia
2011-09-16 11:07 ` dave w
2011-09-16 15:02 ` Daniel J Walsh
2011-09-19 16:55 ` Eric Paris
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1316117256.2202.104.camel@vortex \
--to=guido@trentalancia.com \
--cc=nullcore@gmail.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.