• Paolo \'Blaisorblade\' Giarrusso's avatar
    [PATCH] uml: hostfs: (security) fix chmod +s permission check · fe1fd25e
    Paolo \'Blaisorblade\' Giarrusso authored
    Frank Fricke reported that hostfs does not verify that a chmod +s, for
    instance, is done by a sufficiently privileged user, as long as the UML
    kernel itself can complete the operation on the host.
    
    So, for instance, if UML is run as root and under /mnt/host we have a hostfs
    mount, this works successfully:
    
    paolo@zion:~ (0)$ chmod 4755 /mnt/host/bin/bash
    paolo@zion:~ (0)$ ll /mnt/host/bin/bash
    
     -rwsr-xr-x  1 root root 662724 2004-10-20 02:15 /mnt/host/bin/bash*
    
    (bash refuses running as setuid, but you could have another shell on the
    host, as dash or whatever).
    
    In general, if UML is run as uid 500 on the host, a hostfs mount is done
    and under the hostfs mount there is a file with uid 500 on the host, I can
    freely make it setuid (if it's executable).
    
    This is especially bad when UML is run as root (which you should not do),
    but is a problem in general, since it allows any user to create setuid 500
    (in this example) executables on the host filesystem.
    
    Finally, while I was looking at the chmod() implementation, I spotted a
    kludge in the code and explained it with a comment.
    Signed-off-by: default avatarPaolo 'Blaisorblade' Giarrusso <blaisorblade@yahoo.it>
    Cc: Frank 'xraz' Fricke <xraz@rwxr-xr-x.de>
    Cc: Alexander Viro <viro@parcelfarce.linux.theplanet.co.uk>
    Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
    Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
    fe1fd25e
hostfs_kern.c 22.2 KB