From: "Myklebust, Trond" <Trond.Myklebust@netapp.com>
To: "NeilBrown" <neilb@suse.de>, "NFS" <linux-nfs@vger.kernel.org>
Subject: Re: [PATCH] NFS/sunrpc: don't use a credential with extra groups.
Date: Wed, 26 Oct 2011 01:30:34 +0200 [thread overview]
Message-ID: <00de01cc93af$bc3812cc$d25f630a@hq.netapp.com> (raw)
Hi Neil
I queued this patch up for linux-next testing earlier this morning. I could have included it in the pull I sent to Linus, but I'm trying to be a bit more strict about integration testing prior to pushing.
I also added a Cc: stable@kernel.org. I'm assuming that was appropriate.
Cheers
Trond
NeilBrown <neilb@suse.de> wrote:
Hi Trond,
A customer hit this bug recently - which seems to have been around forever -
at least since 2.6.16.
I suspect few people would risk hitting it, but our customer does
interesting things with group lists (presumably some least-privilege policy)
and they managed to trigger it for us.
NeilBrown
>From 80b7771c0e18f755a6b9679e6c3b9d1449ba40ee Mon Sep 17 00:00:00 2001
From: NeilBrown <neilb@suse.de>
Date: Tue, 25 Oct 2011 10:17:06 +1100
Subject: [PATCH] NFS/sunrpc: don't use a credential with extra groups.
The sunrpc layer keeps a cache of recently used credentials and
'unx_match' is used to find the credential which matches the current
process.
However unx_match allows a match when the cached credential has extra
groups at the end of uc_gids list which are not in the process group list.
So if a process with a list of (say) 4 group accesses a file and gains
access because of the last group in the list, then another process
with the same uid and gid, and a gid list being the first tree of the
gids of the original process tries to access the file, it will be
granted access even though it shouldn't as the wrong rpc credential
will be used.
Signed-off-by: NeilBrown <neilb@suse.de>
---
net/sunrpc/auth_unix.c | 3 +++
1 files changed, 3 insertions(+), 0 deletions(-)
diff --git a/net/sunrpc/auth_unix.c b/net/sunrpc/auth_unix.c
index 4cb70dc..e50502d 100644
--- a/net/sunrpc/auth_unix.c
+++ b/net/sunrpc/auth_unix.c
@@ -129,6 +129,9 @@ unx_match(struct auth_cred *acred, struct rpc_cred *rcred, int flags)
for (i = 0; i < groups ; i++)
if (cred->uc_gids[i] != GROUP_AT(acred->group_info, i))
return 0;
+ if (groups < NFS_NGROUPS &&
+ cred->uc_gids[groups] != NOGROUP)
+ return 0;
return 1;
}
--
1.7.7
next reply other threads:[~2011-10-26 7:20 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-10-25 23:30 Myklebust, Trond [this message]
2011-10-26 7:36 ` [PATCH] NFS/sunrpc: don't use a credential with extra groups NeilBrown
-- strict thread matches above, loose matches on Subject: below --
2011-10-24 23:25 NeilBrown
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='00de01cc93af$bc3812cc$d25f630a@hq.netapp.com' \
--to=trond.myklebust@netapp.com \
--cc=linux-nfs@vger.kernel.org \
--cc=neilb@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).