From: "Mickaël Salaün" <mic@digikod.net>
To: Christian Brauner <brauner@kernel.org>
Cc: Hyunchul Lee <hyc.lee@gmail.com>,
Namjae Jeon <linkinjeon@kernel.org>,
Steve French <smfrench@gmail.com>,
Al Viro <viro@zeniv.linux.org.uk>,
linux-cifs@vger.kernel.org, linux-fsdevel@vger.kernel.org,
linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org, stable@vger.kernel.org
Subject: Re: [PATCH v1] ksmbd: Fix user namespace mapping
Date: Thu, 29 Sep 2022 14:18:43 +0200 [thread overview]
Message-ID: <75d077ca-4f1d-50c4-10d2-0fb31fcd0c86@digikod.net> (raw)
In-Reply-To: <20220929113735.7k6fdu75oz4jvsvz@wittgenstein>
On 29/09/2022 13:37, Christian Brauner wrote:
> On Thu, Sep 29, 2022 at 12:04:47PM +0200, Mickaël Salaün wrote:
>> A kernel daemon should not rely on the current thread, which is unknown
>> and might be malicious. Before this security fix,
>> ksmbd_override_fsids() didn't correctly override FS UID/GID which means
>> that arbitrary user space threads could trick the kernel to impersonate
>> arbitrary users or groups for file system access checks, leading to
>> file system access bypass.
>>
>> This was found while investigating truncate support for Landlock:
>> https://lore.kernel.org/r/CAKYAXd8fpMJ7guizOjHgxEyyjoUwPsx3jLOPZP=wPYcbhkVXqA@mail.gmail.com
>>
>> Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3")
>> Cc: Hyunchul Lee <hyc.lee@gmail.com>
>> Cc: Namjae Jeon <linkinjeon@kernel.org>
>> Cc: Steve French <smfrench@gmail.com>
>> Cc: stable@vger.kernel.org
>> Signed-off-by: Mickaël Salaün <mic@digikod.net>
>> Link: https://lore.kernel.org/r/20220929100447.108468-1-mic@digikod.net
>> ---
>
> I think this is ok. The alternative would probably be to somehow use a
> relevant userns when struct ksmbd_user is created when the session is
> established. But these are deeper ksmbd design questions. The fix
> proposed here itself seems good.
That would be better indeed. I guess ksmbd works whenever the netlink
peer is not in a user namespace with mapped UID/GID, but it should
result in obvious access bugs otherwise (which is already the case
anyway). It seems that the netlink peer must be trusted because it is
the source of truth for account/user mapping anyway. This change fixes
the more critical side of the issue and it should fit well for backports.
next prev parent reply other threads:[~2022-09-29 12:18 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-29 10:04 [PATCH v1] ksmbd: Fix user namespace mapping Mickaël Salaün
2022-09-29 11:37 ` Christian Brauner
2022-09-29 12:18 ` Mickaël Salaün [this message]
2022-09-29 13:08 ` Christian Brauner
2022-09-29 12:38 ` Namjae Jeon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=75d077ca-4f1d-50c4-10d2-0fb31fcd0c86@digikod.net \
--to=mic@digikod.net \
--cc=brauner@kernel.org \
--cc=hyc.lee@gmail.com \
--cc=linkinjeon@kernel.org \
--cc=linux-cifs@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=smfrench@gmail.com \
--cc=stable@vger.kernel.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox