From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Date: Wed, 4 Nov 2015 08:46:19 -0600 From: "Serge E. Hallyn" To: Kees Cook Cc: Dirk Steinmetz , Serge Hallyn , Seth Forshee , Alexander Viro , Linux FS Devel , LKML , "Eric W . Biederman" , Serge Hallyn Subject: Re: [RFC] namei: prevent sgid-hardlinks for unmapped gids Message-ID: <20151104144619.GB19527@mail.hallyn.com> References: <1446511187-9131-1-git-send-email-public@rsjtdrjgfuzkfg.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Sender: linux-kernel-owner@vger.kernel.org List-ID: On Tue, Nov 03, 2015 at 10:20:38AM -0800, Kees Cook wrote: > On Mon, Nov 2, 2015 at 4:39 PM, Dirk Steinmetz > wrote: > > In order to hardlink to a sgid-executable, it is sufficient to be the > > file's owner. When hardlinking within an unprivileged user namespace, the > > users of that namespace could thus use hardlinks to pin setgid binaries > > owned by themselves (or any mapped uid, with CAP_FOWNER) and a gid outside > > of the namespace. This is a possible security risk. > > How would such a file appear within the namespace? Wouldn't the gid > have to map to something inside the namespace? Inside the namespace it would appear as gid -1. Outside the namespace it would appear as the real gid. So the problem would be if I am allowed to map the file owning uid but not gid; I make a new link to the file; I wait for a vulnerability to be found; host admin updates the original file; now on the host I run the file - having learned how to exploit the vulnerability through no ingenuity of my own - and own all files owned by that gid. -serge