From: Vivek Goyal <vgoyal@redhat.com>
To: Luis Henriques <lhenriques@suse.de>
Cc: linux-fsdevel@vger.kernel.org, virtio-fs@redhat.com,
linux-kernel@vger.kernel.org, Miklos Szeredi <miklos@szeredi.hu>
Subject: Re: [Virtio-fs] [RFC PATCH] fuse: Clear SGID bit when setting mode in setacl
Date: Tue, 2 Mar 2021 09:22:46 -0500 [thread overview]
Message-ID: <20210302142246.GC220334@redhat.com> (raw)
In-Reply-To: <20210301163324.GC186178@redhat.com>
On Mon, Mar 01, 2021 at 11:33:24AM -0500, Vivek Goyal wrote:
> On Fri, Feb 26, 2021 at 06:33:57PM +0000, Luis Henriques wrote:
> > Setting file permissions with POSIX ACLs (setxattr) isn't clearing the
> > setgid bit. This seems to be CVE-2016-7097, detected by running fstest
> > generic/375 in virtiofs. Unfortunately, when the fix for this CVE landed
> > in the kernel with commit 073931017b49 ("posix_acl: Clear SGID bit when
> > setting file permissions"), FUSE didn't had ACLs support yet.
>
> Hi Luis,
>
> Interesting. I did not know that "chmod" can lead to clearing of SGID
> as well. Recently we implemented FUSE_HANDLE_KILLPRIV_V2 flag which
> means that file server is responsible for clearing of SUID/SGID/caps
> as per following rules.
>
> - caps are always cleared on chown/write/truncate
> - suid is always cleared on chown, while for truncate/write it is cleared
> only if caller does not have CAP_FSETID.
> - sgid is always cleared on chown, while for truncate/write it is cleared
> only if caller does not have CAP_FSETID as well as file has group execute
> permission.
>
> And we don't have anything about "chmod" in this list. Well, I will test
> this and come back to this little later.
Looks like I did not notice the setattr_prepare() call in
fuse_do_setattr() which clears SGID in client itself and server does not
have to do anything extra. So it works.
IOW, FUSE_HANDLE_KILLPRIV_V2 will not handle this particular case and
fuse client will clear SGID on chmod, if need be.
Vivek
WARNING: multiple messages have this Message-ID (diff)
From: Vivek Goyal <vgoyal@redhat.com>
To: Luis Henriques <lhenriques@suse.de>
Cc: Miklos Szeredi <miklos@szeredi.hu>,
linux-fsdevel@vger.kernel.org, virtio-fs@redhat.com,
linux-kernel@vger.kernel.org,
"Dr. David Alan Gilbert" <dgilbert@redhat.com>
Subject: Re: [RFC PATCH] fuse: Clear SGID bit when setting mode in setacl
Date: Tue, 2 Mar 2021 09:22:46 -0500 [thread overview]
Message-ID: <20210302142246.GC220334@redhat.com> (raw)
In-Reply-To: <20210301163324.GC186178@redhat.com>
On Mon, Mar 01, 2021 at 11:33:24AM -0500, Vivek Goyal wrote:
> On Fri, Feb 26, 2021 at 06:33:57PM +0000, Luis Henriques wrote:
> > Setting file permissions with POSIX ACLs (setxattr) isn't clearing the
> > setgid bit. This seems to be CVE-2016-7097, detected by running fstest
> > generic/375 in virtiofs. Unfortunately, when the fix for this CVE landed
> > in the kernel with commit 073931017b49 ("posix_acl: Clear SGID bit when
> > setting file permissions"), FUSE didn't had ACLs support yet.
>
> Hi Luis,
>
> Interesting. I did not know that "chmod" can lead to clearing of SGID
> as well. Recently we implemented FUSE_HANDLE_KILLPRIV_V2 flag which
> means that file server is responsible for clearing of SUID/SGID/caps
> as per following rules.
>
> - caps are always cleared on chown/write/truncate
> - suid is always cleared on chown, while for truncate/write it is cleared
> only if caller does not have CAP_FSETID.
> - sgid is always cleared on chown, while for truncate/write it is cleared
> only if caller does not have CAP_FSETID as well as file has group execute
> permission.
>
> And we don't have anything about "chmod" in this list. Well, I will test
> this and come back to this little later.
Looks like I did not notice the setattr_prepare() call in
fuse_do_setattr() which clears SGID in client itself and server does not
have to do anything extra. So it works.
IOW, FUSE_HANDLE_KILLPRIV_V2 will not handle this particular case and
fuse client will clear SGID on chmod, if need be.
Vivek
next prev parent reply other threads:[~2021-03-02 14:22 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-02-26 18:33 [Virtio-fs] [RFC PATCH] fuse: Clear SGID bit when setting mode in setacl Luis Henriques
2021-02-26 18:33 ` Luis Henriques
2021-03-01 16:33 ` [Virtio-fs] " Vivek Goyal
2021-03-01 16:33 ` Vivek Goyal
2021-03-01 18:20 ` [Virtio-fs] " Luis Henriques
2021-03-01 18:20 ` Luis Henriques
2021-03-02 16:00 ` [Virtio-fs] " Vivek Goyal
2021-03-02 16:00 ` Vivek Goyal
2021-03-02 16:25 ` [Virtio-fs] " Vivek Goyal
2021-03-02 16:25 ` Vivek Goyal
2021-03-03 15:36 ` [Virtio-fs] " Miklos Szeredi
2021-03-03 15:36 ` Miklos Szeredi
2021-03-02 14:22 ` Vivek Goyal [this message]
2021-03-02 14:22 ` Vivek Goyal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210302142246.GC220334@redhat.com \
--to=vgoyal@redhat.com \
--cc=lhenriques@suse.de \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=miklos@szeredi.hu \
--cc=virtio-fs@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.