From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: From: "Frank Filz" To: "'Andy Lutomirski'" , Cc: "'Konstantin Khlebnikov'" , "'Alexander Viro'" , "'Kees Cook'" , "'Willy Tarreau'" , , "'Andrew Morton'" , "'yalin wang'" , "'Linux Kernel Mailing List'" , "'Jan Kara'" , "'Linux FS Devel'" References: <826ec4aab64ec304944098d15209f8c1ae65bb29.1485377903.git.luto@kernel.org> In-Reply-To: <826ec4aab64ec304944098d15209f8c1ae65bb29.1485377903.git.luto@kernel.org> Subject: RE: [PATCH 2/2] fs: Harden against open(..., O_CREAT, 02777) in a setgid directory Date: Wed, 25 Jan 2017 15:17:16 -0800 Message-ID: <014401d27761$2c79f990$856decb0$@mindspring.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Language: en-us Sender: owner-linux-mm@kvack.org List-ID: > Currently, if you open("foo", O_WRONLY | O_CREAT | ..., 02777) in a > directory that is setgid and owned by a different gid than current's fsgid, you > end up with an SGID executable that is owned by the directory's GID. This is > a Bad Thing (tm). Exploiting this is nontrivial because most ways of creating a > new file create an empty file and empty executables aren't particularly > interesting, but this is nevertheless quite dangerous. > > Harden against this type of attack by detecting this particular corner case > (unprivileged program creates SGID executable inode in SGID directory > owned by a different GID) and clearing the new inode's SGID bit. Nasty. I'd love to see a test for this in xfstests and/or pjdfstests... Frank --- This email has been checked for viruses by Avast antivirus software. https://www.avast.com/antivirus -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: email@kvack.org