* [PATCH] policycoreutils: preserve mode bits and ownership of /tmp in seunshare @ 2011-09-15 17:39 dave w 2011-09-15 20:07 ` Guido Trentalancia 2011-09-19 16:55 ` Eric Paris 0 siblings, 2 replies; 7+ messages in thread From: dave w @ 2011-09-15 17:39 UTC (permalink / raw) To: selinux; +Cc: ubuntu-hardened Hi, This patch addresses a flaw in seunshare.c that allows unprivileged users to arbitrarily modify the contents of /tmp. This bug is further described in CVE 2011-1011 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1011): The seunshare_mount function in sandbox/seunshare.c in seunshare in certain Red Hat packages of policycoreutils 2.0.83 and earlier in Red Hat Enterprise Linux (RHEL) 6 and earlier, and Fedora 14 and earlier, mounts a new directory on top of /tmp without assigning root ownership and the sticky bit to this new directory, which allows local users to replace or delete arbitrary /tmp files, and consequently cause a denial of service or possibly gain privileges, by running a setuid application that relies on /tmp, as demonstrated by the ksu application This patch preserves the mode bits, and thus permissions, and ownership of the destination directory of the bind mount performed by seunshare. The permission check in verify_mount() was relaxed for directories who originally had the sticky bit set, as root ownership is required for these to ensure that unprivileged users cannot unlink arbitrary files in the newly bind mounted directory. Thanks, David policycoreutils/sandbox/seunshare.c | 23 ++++++++++++++++++++++- 1 files changed, 22 insertions(+), 1 deletions(-) diff --git a/policycoreutils/sandbox/seunshare.c b/policycoreutils/sandbox/seunshare.c index f9bf12c..82b3cb9 100644 --- a/policycoreutils/sandbox/seunshare.c +++ b/policycoreutils/sandbox/seunshare.c @@ -149,7 +149,9 @@ static int verify_mount(const char *mntdir, struct passwd *pwd) { fprintf(stderr, _("Invalid mount point %s: %s\n"), mntdir, strerror(errno)); return -1; } - if (sb.st_uid != pwd->pw_uid) { + + /* Owners don't have to match if the sticky bit has been set. */ + if (sb.st_uid != pwd->pw_uid && !(sb.st_mode && S_ISVTX)) { errno = EPERM; syslog(LOG_AUTHPRIV | LOG_ALERT, "%s attempted to mount an invalid directory, %s", pwd->pw_name, mntdir); perror(_("Invalid mount point, reporting to administrator")); @@ -245,8 +247,17 @@ static int verify_shell(const char *shell_name) } static int seunshare_mount(const char *src, const char *dst, struct passwd *pwd) { + struct stat buf; + if (verbose) printf("Mount %s on %s\n", src, dst); + + /* Preserve mode bits and ownership */ + if (stat(dst, &buf) < 0) { + fprintf(stderr, _("Failed to stat %s: %s\n"), dst, strerror(errno)); + return -1; + } + if (mount(dst, dst, NULL, MS_BIND | MS_REC, NULL) < 0) { fprintf(stderr, _("Failed to mount %s on %s: %s\n"), dst, dst, strerror(errno)); return -1; @@ -262,6 +273,16 @@ static int seunshare_mount(const char *src, const char *dst, struct passwd *pwd) return -1; } + /* Restore original mode bits and ownership */ + if (chmod(dst, buf.st_mode) < 0) { + fprintf(stderr, _("Failed to set permissions on %s: %s\n"), dst, strerror(errno)); + return -1; + } + if (chown(dst, buf.st_uid, buf.st_gid) < 0) { + fprintf(stderr, _("Failed to set ownership on %s: %s\n"), dst, strerror(errno)); + return -1; + } + if (verify_mount(dst, pwd) < 0) return -1; } -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH] policycoreutils: preserve mode bits and ownership of /tmp in seunshare 2011-09-15 17:39 [PATCH] policycoreutils: preserve mode bits and ownership of /tmp in seunshare dave w @ 2011-09-15 20:07 ` Guido Trentalancia 2011-09-15 21:07 ` dave w 2011-09-19 16:55 ` Eric Paris 1 sibling, 1 reply; 7+ messages in thread From: Guido Trentalancia @ 2011-09-15 20:07 UTC (permalink / raw) To: dave w; +Cc: selinux Hello Dave. On Thu, 2011-09-15 at 13:39 -0400, dave w wrote: > Hi, > > This patch addresses a flaw in seunshare.c that allows unprivileged > users to arbitrarily modify the contents of /tmp. This bug is further > described in CVE 2011-1011 > (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1011): seunshare should not be installed by default and, even if it still needed to be installed by default, its setuid bit should be carefully re-evaluated in my opinion. In any case, good practice says nothing should ever be allowed to mount under /tmp with suid/exec flags (use noexec,nosuid options in fstab). That said, have you tested the patch already ? Is it effective ? Thanks. Guido > The seunshare_mount function in sandbox/seunshare.c in seunshare in certain > Red Hat packages of policycoreutils 2.0.83 and earlier in Red Hat > Enterprise Linux (RHEL) 6 and earlier, and Fedora 14 and earlier, mounts a > new directory on top of /tmp without assigning root ownership and the > sticky bit to this new directory, which allows local users to replace or > delete arbitrary /tmp files, and consequently cause a denial of service or > possibly gain privileges, by running a setuid application that relies on > /tmp, as demonstrated by the ksu application > > This patch preserves the mode bits, and thus permissions, and > ownership of the destination directory of the bind mount performed by > seunshare. The permission check in verify_mount() was relaxed for > directories who originally had the sticky bit set, as root ownership > is required for these to ensure that unprivileged users cannot unlink > arbitrary files in the newly bind mounted directory. > > Thanks, > David > > > > policycoreutils/sandbox/seunshare.c | 23 ++++++++++++++++++++++- > 1 files changed, 22 insertions(+), 1 deletions(-) > > diff --git a/policycoreutils/sandbox/seunshare.c > b/policycoreutils/sandbox/seunshare.c > index f9bf12c..82b3cb9 100644 > --- a/policycoreutils/sandbox/seunshare.c > +++ b/policycoreutils/sandbox/seunshare.c > @@ -149,7 +149,9 @@ static int verify_mount(const char *mntdir, struct > passwd *pwd) { > fprintf(stderr, _("Invalid mount point %s: %s\n"), mntdir, > strerror(errno)); > return -1; > } > - if (sb.st_uid != pwd->pw_uid) { > + > + /* Owners don't have to match if the sticky bit has been set. */ > + if (sb.st_uid != pwd->pw_uid && !(sb.st_mode && S_ISVTX)) { > errno = EPERM; > syslog(LOG_AUTHPRIV | LOG_ALERT, "%s attempted to mount an > invalid directory, %s", pwd->pw_name, mntdir); > perror(_("Invalid mount point, reporting to administrator")); > @@ -245,8 +247,17 @@ static int verify_shell(const char *shell_name) > } > > static int seunshare_mount(const char *src, const char *dst, struct > passwd *pwd) { > + struct stat buf; > + > if (verbose) > printf("Mount %s on %s\n", src, dst); > + > + /* Preserve mode bits and ownership */ > + if (stat(dst, &buf) < 0) { > + fprintf(stderr, _("Failed to stat %s: %s\n"), dst, strerror(errno)); > + return -1; > + } > + > if (mount(dst, dst, NULL, MS_BIND | MS_REC, NULL) < 0) { > fprintf(stderr, _("Failed to mount %s on %s: %s\n"), dst, dst, > strerror(errno)); > return -1; > @@ -262,6 +273,16 @@ static int seunshare_mount(const char *src, const > char *dst, struct passwd *pwd) > return -1; > } > > + /* Restore original mode bits and ownership */ > + if (chmod(dst, buf.st_mode) < 0) { > + fprintf(stderr, _("Failed to set permissions on %s: %s\n"), > dst, strerror(errno)); > + return -1; > + } > + if (chown(dst, buf.st_uid, buf.st_gid) < 0) { > + fprintf(stderr, _("Failed to set ownership on %s: %s\n"), > dst, strerror(errno)); > + return -1; > + } > + > if (verify_mount(dst, pwd) < 0) > return -1; > } -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] policycoreutils: preserve mode bits and ownership of /tmp in seunshare 2011-09-15 20:07 ` Guido Trentalancia @ 2011-09-15 21:07 ` dave w 2011-09-16 5:42 ` Guido Trentalancia 0 siblings, 1 reply; 7+ messages in thread From: dave w @ 2011-09-15 21:07 UTC (permalink / raw) To: Guido Trentalancia; +Cc: selinux, ubuntu-hardened On Thu, Sep 15, 2011 at 4:07 PM, Guido Trentalancia <guido@trentalancia.com> wrote: > Hello Dave. > > On Thu, 2011-09-15 at 13:39 -0400, dave w wrote: >> Hi, >> >> This patch addresses a flaw in seunshare.c that allows unprivileged >> users to arbitrarily modify the contents of /tmp. This bug is further >> described in CVE 2011-1011 >> (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1011): > > seunshare should not be installed by default and, even if it still > needed to be installed by default, its setuid bit should be carefully > re-evaluated in my opinion. > Perhaps, but distros that install seunshare at present will be made safer with the addition of a patch which eliminates an attack vector to a privilege escalation. > In any case, good practice says nothing should ever be allowed to mount > under /tmp with suid/exec flags (use noexec,nosuid options in fstab). > > That said, have you tested the patch already ? Is it effective ? > Yes, the patch has been effective and with it applied, unprivileged users cannot delete files other than their own from /tmp, which is the expected behavior in a directory with the sticky bit set owned by the superuser. > Thanks. > > Guido > >> The seunshare_mount function in sandbox/seunshare.c in seunshare in certain >> Red Hat packages of policycoreutils 2.0.83 and earlier in Red Hat >> Enterprise Linux (RHEL) 6 and earlier, and Fedora 14 and earlier, mounts a >> new directory on top of /tmp without assigning root ownership and the >> sticky bit to this new directory, which allows local users to replace or >> delete arbitrary /tmp files, and consequently cause a denial of service or >> possibly gain privileges, by running a setuid application that relies on >> /tmp, as demonstrated by the ksu application >> >> This patch preserves the mode bits, and thus permissions, and >> ownership of the destination directory of the bind mount performed by >> seunshare. The permission check in verify_mount() was relaxed for >> directories who originally had the sticky bit set, as root ownership >> is required for these to ensure that unprivileged users cannot unlink >> arbitrary files in the newly bind mounted directory. >> >> Thanks, >> David >> >> >> >> policycoreutils/sandbox/seunshare.c | 23 ++++++++++++++++++++++- >> 1 files changed, 22 insertions(+), 1 deletions(-) >> >> diff --git a/policycoreutils/sandbox/seunshare.c >> b/policycoreutils/sandbox/seunshare.c >> index f9bf12c..82b3cb9 100644 >> --- a/policycoreutils/sandbox/seunshare.c >> +++ b/policycoreutils/sandbox/seunshare.c >> @@ -149,7 +149,9 @@ static int verify_mount(const char *mntdir, struct >> passwd *pwd) { >> fprintf(stderr, _("Invalid mount point %s: %s\n"), mntdir, >> strerror(errno)); >> return -1; >> } >> - if (sb.st_uid != pwd->pw_uid) { >> + >> + /* Owners don't have to match if the sticky bit has been set. */ >> + if (sb.st_uid != pwd->pw_uid && !(sb.st_mode && S_ISVTX)) { >> errno = EPERM; >> syslog(LOG_AUTHPRIV | LOG_ALERT, "%s attempted to mount an >> invalid directory, %s", pwd->pw_name, mntdir); >> perror(_("Invalid mount point, reporting to administrator")); >> @@ -245,8 +247,17 @@ static int verify_shell(const char *shell_name) >> } >> >> static int seunshare_mount(const char *src, const char *dst, struct >> passwd *pwd) { >> + struct stat buf; >> + >> if (verbose) >> printf("Mount %s on %s\n", src, dst); >> + >> + /* Preserve mode bits and ownership */ >> + if (stat(dst, &buf) < 0) { >> + fprintf(stderr, _("Failed to stat %s: %s\n"), dst, strerror(errno)); >> + return -1; >> + } >> + >> if (mount(dst, dst, NULL, MS_BIND | MS_REC, NULL) < 0) { >> fprintf(stderr, _("Failed to mount %s on %s: %s\n"), dst, dst, >> strerror(errno)); >> return -1; >> @@ -262,6 +273,16 @@ static int seunshare_mount(const char *src, const >> char *dst, struct passwd *pwd) >> return -1; >> } >> >> + /* Restore original mode bits and ownership */ >> + if (chmod(dst, buf.st_mode) < 0) { >> + fprintf(stderr, _("Failed to set permissions on %s: %s\n"), >> dst, strerror(errno)); >> + return -1; >> + } >> + if (chown(dst, buf.st_uid, buf.st_gid) < 0) { >> + fprintf(stderr, _("Failed to set ownership on %s: %s\n"), >> dst, strerror(errno)); >> + return -1; >> + } >> + >> if (verify_mount(dst, pwd) < 0) >> return -1; >> } > > > -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] policycoreutils: preserve mode bits and ownership of /tmp in seunshare 2011-09-15 21:07 ` dave w @ 2011-09-16 5:42 ` Guido Trentalancia 2011-09-16 11:07 ` dave w 2011-09-16 15:02 ` Daniel J Walsh 0 siblings, 2 replies; 7+ messages in thread From: Guido Trentalancia @ 2011-09-16 5:42 UTC (permalink / raw) To: dave w; +Cc: selinux Hello Dave, thanks for the explanation On Thu, 2011-09-15 at 17:07 -0400, dave w wrote: > On Thu, Sep 15, 2011 at 4:07 PM, Guido Trentalancia > <guido@trentalancia.com> wrote: > > Hello Dave. > > > > On Thu, 2011-09-15 at 13:39 -0400, dave w wrote: > >> Hi, > >> > >> This patch addresses a flaw in seunshare.c that allows unprivileged > >> users to arbitrarily modify the contents of /tmp. This bug is further > >> described in CVE 2011-1011 > >> (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1011): > > > > seunshare should not be installed by default and, even if it still > > needed to be installed by default, its setuid bit should be carefully > > re-evaluated in my opinion. > > > > Perhaps, but distros that install seunshare at present will be made > safer with the addition of a patch which eliminates an attack vector > to a privilege escalation. So the question now is: CVE-2011-1011 is dated 20110214, how comes this is trying to get sorted out only now for upstream ? > > In any case, good practice says nothing should ever be allowed to mount > > under /tmp with suid/exec flags (use noexec,nosuid options in fstab). > > > > That said, have you tested the patch already ? Is it effective ? > > > > Yes, the patch has been effective and with it applied, unprivileged > users cannot delete files other than their own from /tmp, which is the > expected behavior in a directory with the sticky bit set owned by the > superuser. > > > Thanks. > > > > Guido > > > >> The seunshare_mount function in sandbox/seunshare.c in seunshare in certain > >> Red Hat packages of policycoreutils 2.0.83 and earlier in Red Hat > >> Enterprise Linux (RHEL) 6 and earlier, and Fedora 14 and earlier, mounts a > >> new directory on top of /tmp without assigning root ownership and the > >> sticky bit to this new directory, which allows local users to replace or > >> delete arbitrary /tmp files, and consequently cause a denial of service or > >> possibly gain privileges, by running a setuid application that relies on > >> /tmp, as demonstrated by the ksu application What happened exactly for upstream since the CVE was initially released ? > >> This patch preserves the mode bits, and thus permissions, and > >> ownership of the destination directory of the bind mount performed by > >> seunshare. The permission check in verify_mount() was relaxed for > >> directories who originally had the sticky bit set, as root ownership > >> is required for these to ensure that unprivileged users cannot unlink > >> arbitrary files in the newly bind mounted directory. Is it the first time ever that you post a patch to try sorting out the same issue ? > >> Thanks, > >> David Thanks, Guido. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] policycoreutils: preserve mode bits and ownership of /tmp in seunshare 2011-09-16 5:42 ` Guido Trentalancia @ 2011-09-16 11:07 ` dave w 2011-09-16 15:02 ` Daniel J Walsh 1 sibling, 0 replies; 7+ messages in thread From: dave w @ 2011-09-16 11:07 UTC (permalink / raw) To: Guido Trentalancia; +Cc: selinux On Fri, Sep 16, 2011 at 1:42 AM, Guido Trentalancia <guido@trentalancia.com> wrote: <snip> > So the question now is: CVE-2011-1011 is dated 20110214, how comes this > is trying to get sorted out only now for upstream ? > Unsure. I performed a search of activity related to this CVE since its original posting on 20110214 and found nothing. I'm fixing this bug on behalf of a distro (Ubuntu) and thought it prudent to upstream the changes since nobody else has addressed this CVE. That said, I also found it surprising that the CVE hadn't been addressed upstream at all since then. I thought it could be a result of the low priority most distros assigned this issue. >> > In any case, good practice says nothing should ever be allowed to mount >> > under /tmp with suid/exec flags (use noexec,nosuid options in fstab). >> > >> > That said, have you tested the patch already ? Is it effective ? >> > >> >> Yes, the patch has been effective and with it applied, unprivileged >> users cannot delete files other than their own from /tmp, which is the >> expected behavior in a directory with the sticky bit set owned by the >> superuser. >> >> > Thanks. >> > >> > Guido >> > >> >> The seunshare_mount function in sandbox/seunshare.c in seunshare in certain >> >> Red Hat packages of policycoreutils 2.0.83 and earlier in Red Hat >> >> Enterprise Linux (RHEL) 6 and earlier, and Fedora 14 and earlier, mounts a >> >> new directory on top of /tmp without assigning root ownership and the >> >> sticky bit to this new directory, which allows local users to replace or >> >> delete arbitrary /tmp files, and consequently cause a denial of service or >> >> possibly gain privileges, by running a setuid application that relies on >> >> /tmp, as demonstrated by the ksu application > > What happened exactly for upstream since the CVE was initially > released ? > >> >> This patch preserves the mode bits, and thus permissions, and >> >> ownership of the destination directory of the bind mount performed by >> >> seunshare. The permission check in verify_mount() was relaxed for >> >> directories who originally had the sticky bit set, as root ownership >> >> is required for these to ensure that unprivileged users cannot unlink >> >> arbitrary files in the newly bind mounted directory. > > Is it the first time ever that you post a patch to try sorting out the > same issue ? > >> >> Thanks, >> >> David > > Thanks, Guido. > > -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] policycoreutils: preserve mode bits and ownership of /tmp in seunshare 2011-09-16 5:42 ` Guido Trentalancia 2011-09-16 11:07 ` dave w @ 2011-09-16 15:02 ` Daniel J Walsh 1 sibling, 0 replies; 7+ messages in thread From: Daniel J Walsh @ 2011-09-16 15:02 UTC (permalink / raw) To: Guido Trentalancia; +Cc: dave w, selinux -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/16/2011 01:42 AM, Guido Trentalancia wrote: > Hello Dave, thanks for the explanation > > On Thu, 2011-09-15 at 17:07 -0400, dave w wrote: >> On Thu, Sep 15, 2011 at 4:07 PM, Guido Trentalancia >> <guido@trentalancia.com> wrote: >>> Hello Dave. >>> >>> On Thu, 2011-09-15 at 13:39 -0400, dave w wrote: >>>> Hi, >>>> >>>> This patch addresses a flaw in seunshare.c that allows >>>> unprivileged users to arbitrarily modify the contents of >>>> /tmp. This bug is further described in CVE 2011-1011 >>>> (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1011): >>> >>> >>>> seunshare should not be installed by default and, even if it still >>> needed to be installed by default, its setuid bit should be >>> carefully re-evaluated in my opinion. >>> >> >> Perhaps, but distros that install seunshare at present will be >> made safer with the addition of a patch which eliminates an >> attack vector to a privilege escalation. > > So the question now is: CVE-2011-1011 is dated 20110214, how comes > this is trying to get sorted out only now for upstream ? > >>> In any case, good practice says nothing should ever be allowed >>> to mount under /tmp with suid/exec flags (use noexec,nosuid >>> options in fstab). >>> >>> That said, have you tested the patch already ? Is it effective >>> ? >>> >> >> Yes, the patch has been effective and with it applied, >> unprivileged users cannot delete files other than their own from >> /tmp, which is the expected behavior in a directory with the >> sticky bit set owned by the superuser. >> >>> Thanks. >>> >>> Guido >>> >>>> The seunshare_mount function in sandbox/seunshare.c in >>>> seunshare in certain Red Hat packages of policycoreutils >>>> 2.0.83 and earlier in Red Hat Enterprise Linux (RHEL) 6 and >>>> earlier, and Fedora 14 and earlier, mounts a new directory on >>>> top of /tmp without assigning root ownership and the sticky >>>> bit to this new directory, which allows local users to >>>> replace or delete arbitrary /tmp files, and consequently >>>> cause a denial of service or possibly gain privileges, by >>>> running a setuid application that relies on /tmp, as >>>> demonstrated by the ksu application > > What happened exactly for upstream since the CVE was initially > released ? > >>>> This patch preserves the mode bits, and thus permissions, >>>> and ownership of the destination directory of the bind mount >>>> performed by seunshare. The permission check in >>>> verify_mount() was relaxed for directories who originally had >>>> the sticky bit set, as root ownership is required for these >>>> to ensure that unprivileged users cannot unlink arbitrary >>>> files in the newly bind mounted directory. > > Is it the first time ever that you post a patch to try sorting out > the same issue ? > >>>> Thanks, David > > Thanks, Guido. > > > -- This message was distributed to subscribers of the selinux > mailing list. If you no longer wish to subscribe, send mail to > majordomo@tycho.nsa.gov with the words "unsubscribe selinux" > without quotes as the message. > > We fixed it in Fedora and RHEL and either we dropped the ball or upstream did on getting the fix into the upstream policy. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk5zZO0ACgkQrlYvE4MpobPnNgCbBygZIFPkggN4ybPIdBxMNvNN WsgAnjfLv+1VekZqP4HBv19lHXIUz1Z+ =w6H4 -----END PGP SIGNATURE----- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] policycoreutils: preserve mode bits and ownership of /tmp in seunshare 2011-09-15 17:39 [PATCH] policycoreutils: preserve mode bits and ownership of /tmp in seunshare dave w 2011-09-15 20:07 ` Guido Trentalancia @ 2011-09-19 16:55 ` Eric Paris 1 sibling, 0 replies; 7+ messages in thread From: Eric Paris @ 2011-09-19 16:55 UTC (permalink / raw) To: dave w; +Cc: selinux, ubuntu-hardened On Thu, Sep 15, 2011 at 1:39 PM, dave w <nullcore@gmail.com> wrote: > Hi, > > This patch addresses a flaw in seunshare.c that allows unprivileged > users to arbitrarily modify the contents of /tmp. This bug is further > described in CVE 2011-1011 > (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1011): > > The seunshare_mount function in sandbox/seunshare.c in seunshare in certain > Red Hat packages of policycoreutils 2.0.83 and earlier in Red Hat > Enterprise Linux (RHEL) 6 and earlier, and Fedora 14 and earlier, mounts a > new directory on top of /tmp without assigning root ownership and the > sticky bit to this new directory, which allows local users to replace or > delete arbitrary /tmp files, and consequently cause a denial of service or > possibly gain privileges, by running a setuid application that relies on > /tmp, as demonstrated by the ksu application > > This patch preserves the mode bits, and thus permissions, and > ownership of the destination directory of the bind mount performed by > seunshare. The permission check in verify_mount() was relaxed for > directories who originally had the sticky bit set, as root ownership > is required for these to ensure that unprivileged users cannot unlink > arbitrary files in the newly bind mounted directory. As Dan pointed out one of us dropped the ball on this. I have committed huge amounts of seunshare changes from the Fedora tree to the upstream git tree. It should include fixes for this problem as well. Your patch is definitely a smaller fix for the problem at hand as the Fedora tree has largely rewritten how filesystem mounting is done as might be appropriate for backports to old code if a distro is not ready to take the plunge into the wild world of new upstream tools! -Eric -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2011-09-19 16:55 UTC | newest] Thread overview: 7+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2011-09-15 17:39 [PATCH] policycoreutils: preserve mode bits and ownership of /tmp in seunshare dave w 2011-09-15 20:07 ` Guido Trentalancia 2011-09-15 21:07 ` dave w 2011-09-16 5:42 ` Guido Trentalancia 2011-09-16 11:07 ` dave w 2011-09-16 15:02 ` Daniel J Walsh 2011-09-19 16:55 ` Eric Paris
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.