From: Nicolas Belouin <nicolas@belouin.fr>
To: Alexander Viro <viro@zeniv.linux.org.uk>,
linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-api@vger.kernel.org, kernel-hardening@lists.openwall.com
Cc: Nicolas Belouin <nicolas@belouin.fr>
Subject: [PATCH] fs: check for DAC_READ_SEARCH instead of SYS_ADMIN
Date: Sat, 21 Oct 2017 15:24:46 +0200 [thread overview]
Message-ID: <20171021132446.17567-1-nicolas@belouin.fr> (raw)
These checks are meant to prevent leaks or attacks via directory
traversal, the use of CAP_SYS_ADMIN here is a misuse,
CAP_DAC_READ_SEARCH being way more appropriate as a process
with CAP_DAC_READ_SEARCH is entrusted with going trough all directories.
CAP_SYS_ADMIN is not meant to flag such a process.
Signed-off-by: Nicolas Belouin <nicolas@belouin.fr>
---
fs/dcookies.c | 2 +-
fs/proc/base.c | 8 ++++----
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/fs/dcookies.c b/fs/dcookies.c
index 0d0461cf2431..48491299a183 100644
--- a/fs/dcookies.c
+++ b/fs/dcookies.c
@@ -158,7 +158,7 @@ SYSCALL_DEFINE3(lookup_dcookie, u64, cookie64, char __user *, buf, size_t, len)
/* we could leak path information to users
* without dir read permission without this
*/
- if (!capable(CAP_SYS_ADMIN))
+ if (!capable(CAP_SYS_ADMIN) && !capable(CAP_DAC_READ_SEARCH))
return -EPERM;
mutex_lock(&dcookie_mutex);
diff --git a/fs/proc/base.c b/fs/proc/base.c
index ad3b0762cc3e..965a3aa1a77f 100644
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -2006,16 +2006,16 @@ struct map_files_info {
};
/*
- * Only allow CAP_SYS_ADMIN to follow the links, due to concerns about how the
- * symlinks may be used to bypass permissions on ancestor directories in the
- * path to the file in question.
+ * Only allow CAP_SYS_ADMIN or CAP_DAC_READ_SEARCH to follow the links, due
+ * to concerns about how the symlinks may be used to bypass permissions on
+ * ancestor directories in the path to the file in question.
*/
static const char *
proc_map_files_get_link(struct dentry *dentry,
struct inode *inode,
struct delayed_call *done)
{
- if (!capable(CAP_SYS_ADMIN))
+ if (!capable(CAP_SYS_ADMIN) && !capable(CAP_DAC_READ_SEARCH))
return ERR_PTR(-EPERM);
return proc_pid_get_link(dentry, inode, done);
--
2.14.2
next reply other threads:[~2017-10-21 13:32 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-10-21 13:24 Nicolas Belouin [this message]
2017-10-22 5:25 ` [PATCH] fs: check for DAC_READ_SEARCH instead of SYS_ADMIN Theodore Ts'o
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171021132446.17567-1-nicolas@belouin.fr \
--to=nicolas@belouin.fr \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-api@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).