From: "Serge E. Hallyn" <serue@us.ibm.com>
To: "J. Bruce Fields" <bfields@fieldses.org>
Cc: Igor Zhbanov <izh1979@gmail.com>,
linux-kernel@vger.kernel.org, viro@zeniv.linux.org.uk,
neilb@suse.de, Trond.Myklebust@netapp.com,
David Howells <dhowells@redhat.com>,
James Morris <jmorris@namei.org>,
Andrew Morgan <morgan@kernel.org>
Subject: Re: VFS, NFS security bug? Should CAP_MKNOD and CAP_LINUX_IMMUTABLE be added to CAP_FS_MASK?
Date: Thu, 12 Mar 2009 11:03:00 -0500 [thread overview]
Message-ID: <20090312160300.GC13046@us.ibm.com> (raw)
In-Reply-To: <20090311232356.GP13540@fieldses.org>
Quoting J. Bruce Fields (bfields@fieldses.org):
> On Wed, Mar 11, 2009 at 03:53:34PM +0300, Igor Zhbanov wrote:
> > Hello!
> >
> > It seems that CAP_MKNOD and CAP_LINUX_IMMUTABLE were forgotten to be
(Still looking into this, but meanwhile...)
> > added to CAP_FS_MASK_B0 in linux-2.6.x and to CAP_FS_MASK in
> > linux-2.4.x. Both capabilities affects file system and can be
> > considered file system capabilities.
>
> Sounds right to me--I'd expect rootsquash to guarantee that new device
> nodes can't be created from the network. Cc'ing random people from the
> git log for include/linux/capability.h in hopes they can help.
>
> --b.
>
> (Also: my copy of mknod(2) claims "Linux... does not have the CAP_MKNOD
> capability". I assume the manpage is out of date?)
No, the whole paragraph is:
EPERM mode requested creation of something other than a regular file, FIFO
(named pipe), or Unix domain socket, and the caller is not privileged
(Linux: does not have the CAP_MKNOD capability);
So it's saying that 'caller is not privileged', in linux, can be
interpreted to mean 'the caller does not have CAP_MKNOD'.
>
> >
> > Let's look at linux-2.6.x.
> >
> > In include/linux/capability.h CAP_FS_SET is defined to contain
> > following capabilities:
> > CAP_CHOWN, CAP_DAC_OVERRIDE, CAP_DAC_READ_SEARCH, CAP_FOWNER,
> > CAP_FSETID and CAP_MAC_OVERRIDE.
> >
> > And CAP_NFSD_SET is defined to be the same plus CAP_SYS_RESOURCE.
> >
> > So, both CAP_FS_SET and CAP_NFSD_SET doesn't include CAP_MKNOD and
> > CAP_LINUX_IMMUTABLE.
> >
> > Also include/linux/capability.h there are cap_drop_fs_set(...),
> > cap_raise_fs_set(...),
> > cap_drop_nfsd_set(...) and cap_raise_nfsd_set(...) inline functions that return
> > corresponding capabilities sets.
> >
> > Let's look how these functions are used.
> >
> > In file fs/nfsd/auth.c function nfsd_setuser(...) calls
> > cap_raise_nfsd_set(...) and
> > cap_drop_nfsd_set(...) to add/exclude corresponding capabilities to/from
> > effective set of current nfsd process.
> >
> > And in file security/commoncap.c function cap_task_post_setuid(...) calls
> > cap_drop_fs_set(...) and cap_raise_fs_set(...) to change effective set
> > of current task
> > when (current->fsuid != old_ruid).
> >
> > In linux-2.4.x the story is the same.
> >
> > In file include/linux/capability.h CAP_FS_MASK is defined to contain
> > CAP_CHOWN, CAP_DAC_OVERRIDE, CAP_DAC_READ_SEARCH, CAP_FOWNER, CAP_FSETID
> > capabilities.
> >
> > And in file fs/nfsd/auth.c CAP_NFSD_MASK is defined to be same as CAP_FS_MASK
> > plus CAP_SYS_RESOURCE.
> >
> > In file fs/nfsd/auth.c function nfsd_setuser(...) uses CAP_NFSD_MASK
> > to add/exclude corresponding capabilities to/from effective set of current
> > nfsd process.
> >
> > And CAP_FS_MASK used in file kernel/sys.c in function sys_setfsuid(...)
> > to add/exclude corresponding capabilities to/from effective set of current task.
> >
> > This can be exploited (and I have succesfully tried it).
> >
> > Suppose you have NFS-share exported even with root_squash option.
> > If one client was compromised, local root can set CAP_MKNOD to some
> > local user's process. Then that user can execute mknod to create a device
> > that will be owned by that user, e.g. block device file for /dev/hda hard drive.
> >
> > And he can create that device file on NFS-share (even exported with root_squash
> > option). After that he can someway (ssh, cgi) execute code on another nfs client
> > or the server to modify it's filesystem. It will be possible because
> > he owns that
> > device file on nfs share.
> >
> > The problem is because CAP_MKNOD allows that user to successfully execute
> > vfs_mknod(...) function on local host, and that function will call corresponding
> > function in nfs module which sends request to NFS server. And nfsd will not
> > drop CAP_MKNOD in nfsd_setuser(...) function when impersonating to that user.
> >
> > Of course, NFS-shares can be mounted with nodev option, but they should be
> > placed on separate partition on NFS-server, so even on server that partition
> > is mounted with nodev option too.
> >
> > So I suggest to add CAP_MKNOD and CAP_LINUX_IMMUTABLE to CAP_FS_MASK
> > in linux-2.4.x and to CAP_FS_MASK_B0 in linux-2.6.x.
next prev parent reply other threads:[~2009-03-12 16:03 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-03-11 12:53 VFS, NFS security bug? Should CAP_MKNOD and CAP_LINUX_IMMUTABLE be added to CAP_FS_MASK? Igor Zhbanov
2009-03-11 23:23 ` J. Bruce Fields
2009-03-12 16:03 ` Serge E. Hallyn [this message]
2009-03-12 16:31 ` J. Bruce Fields
2009-03-12 16:10 ` Serge E. Hallyn
2009-03-12 19:00 ` J. Bruce Fields
2009-03-12 20:56 ` Igor Zhbanov
2009-03-12 20:21 ` Michael Kerrisk
2009-03-13 17:58 ` J. Bruce Fields
2009-03-13 18:37 ` Ответ: " Igor Zhbanov
2009-03-13 19:00 ` Serge E. Hallyn
2009-03-16 18:21 ` Stephen Smalley
2009-03-16 18:49 ` Serge E. Hallyn
2009-03-16 21:00 ` Stephen Smalley
2009-03-16 22:26 ` Igor Zhbanov
2009-03-16 23:13 ` Serge E. Hallyn
2009-03-16 23:17 ` Igor Zhbanov
2009-03-17 14:20 ` Stephen Smalley
2009-03-17 17:39 ` Serge E. Hallyn
2009-03-17 17:52 ` Stephen Smalley
2009-03-17 18:23 ` Serge E. Hallyn
2009-03-18 16:17 ` ?????: " Casey Schaufler
2009-03-18 16:38 ` Serge E. Hallyn
2009-03-18 16:21 ` Ответ: " Stephen Smalley
2009-03-18 16:47 ` Serge E. Hallyn
2009-03-18 16:57 ` J. Bruce Fields
2009-03-18 17:24 ` Serge E. Hallyn
2009-03-16 22:48 ` J. Bruce Fields
2009-03-16 23:03 ` Serge E. Hallyn
2009-03-14 19:20 ` Michael Kerrisk
2009-03-16 14:16 ` Igor Zhbanov
2009-03-16 16:36 ` J. Bruce Fields
2009-03-16 16:46 ` J. Bruce Fields
2009-03-16 17:05 ` Serge E. Hallyn
2009-03-16 17:04 ` Serge E. Hallyn
2009-03-16 22:54 ` J. Bruce Fields
2009-03-16 22:59 ` Serge E. Hallyn
2009-03-23 13:21 ` unprivileged mounts vs. rmdir (was: VFS, NFS security bug? ...) Miklos Szeredi
2009-03-26 12:43 ` Pavel Machek
2009-03-26 13:14 ` Matthew Wilcox
2009-03-27 7:04 ` Eric W. Biederman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20090312160300.GC13046@us.ibm.com \
--to=serue@us.ibm.com \
--cc=Trond.Myklebust@netapp.com \
--cc=bfields@fieldses.org \
--cc=dhowells@redhat.com \
--cc=izh1979@gmail.com \
--cc=jmorris@namei.org \
--cc=linux-kernel@vger.kernel.org \
--cc=morgan@kernel.org \
--cc=neilb@suse.de \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox