Commit 88ba09df authored by Eric W. Biederman's avatar Eric W. Biederman Committed by David S. Miller

net: Update the sysctl permissions handler to test effective uid/gid

On Tue, 20 Aug 2013 11:40:04 -0500 Eric Sandeen <sandeen@redhat.com> wrote:
> This was brought up in a Red Hat bug (which may be marked private, I'm sorry):
>
> Bug 987055 - open O_WRONLY succeeds on some root owned files in /proc for process running with unprivileged EUID
>
> "On RHEL7 some of the files in /proc can be opened for writing by an unprivileged EUID."
>
> The flaw existed upstream as well last I checked.
>
> This commit in kernel v3.8 caused the regression:
>
> commit cff10976
> Author: Eric W. Biederman <ebiederm@xmission.com>
> Date:   Fri Nov 16 03:03:01 2012 +0000
>
>     net: Update the per network namespace sysctls to be available to the network namespace owner
>
>     - Allow anyone with CAP_NET_ADMIN rights in the user namespace of the
>       the netowrk namespace to change sysctls.
>     - Allow anyone the uid of the user namespace root the same
>       permissions over the network namespace sysctls as the global root.
>     - Allow anyone with gid of the user namespace root group the same
>       permissions over the network namespace sysctl as the global root group.
>
>     Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
>     Signed-off-by: David S. Miller <davem@davemloft.net>
>
> because it changed /sys/net's special permission handler to test current_uid, not
> current_euid; same for current_gid/current_egid.
>
> So in this case, root cannot drop privs via set[ug]id, and retains all privs
> in this codepath.

Modify the code to use current_euid(), and in_egroup_p, as in done
in fs/proc/proc_sysctl.c:test_perm()

Cc: stable@vger.kernel.org
Reviewed-by: default avatarEric Sandeen <sandeen@redhat.com>
Reported-by: default avatarEric Sandeen <sandeen@redhat.com>
Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent fe119a05
...@@ -47,12 +47,12 @@ static int net_ctl_permissions(struct ctl_table_header *head, ...@@ -47,12 +47,12 @@ static int net_ctl_permissions(struct ctl_table_header *head,
/* Allow network administrator to have same access as root. */ /* Allow network administrator to have same access as root. */
if (ns_capable(net->user_ns, CAP_NET_ADMIN) || if (ns_capable(net->user_ns, CAP_NET_ADMIN) ||
uid_eq(root_uid, current_uid())) { uid_eq(root_uid, current_euid())) {
int mode = (table->mode >> 6) & 7; int mode = (table->mode >> 6) & 7;
return (mode << 6) | (mode << 3) | mode; return (mode << 6) | (mode << 3) | mode;
} }
/* Allow netns root group to have the same access as the root group */ /* Allow netns root group to have the same access as the root group */
if (gid_eq(root_gid, current_gid())) { if (in_egroup_p(root_gid)) {
int mode = (table->mode >> 3) & 7; int mode = (table->mode >> 3) & 7;
return (mode << 3) | mode; return (mode << 3) | mode;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment