Re: [PATCH 2/2] fs: Harden against open(..., O_CREAT, 02777) in a setgid directory
From: Willy Tarreau
Date: Wed Jan 25 2017 - 18:51:47 EST
On Wed, Jan 25, 2017 at 01:06:52PM -0800, Andy Lutomirski wrote:
> Currently, if you open("foo", O_WRONLY | O_CREAT | ..., 02777) in a
> directory that is setgid and owned by a different gid than current's
> fsgid, you end up with an SGID executable that is owned by the
> directory's GID. This is a Bad Thing (tm). Exploiting this is
> nontrivial because most ways of creating a new file create an empty
> file and empty executables aren't particularly interesting, but this
> is nevertheless quite dangerous.
>
> Harden against this type of attack by detecting this particular
> corner case (unprivileged program creates SGID executable inode in
> SGID directory owned by a different GID) and clearing the new
> inode's SGID bit.
>
> Signed-off-by: Andy Lutomirski <luto@xxxxxxxxxx>
> ---
> fs/inode.c | 21 +++++++++++++++++++--
> 1 file changed, 19 insertions(+), 2 deletions(-)
>
> diff --git a/fs/inode.c b/fs/inode.c
> index f7029c40cfbd..d7e4b80470dd 100644
> --- a/fs/inode.c
> +++ b/fs/inode.c
> @@ -2007,11 +2007,28 @@ void inode_init_owner(struct inode *inode, const struct inode *dir,
> {
> inode->i_uid = current_fsuid();
> if (dir && dir->i_mode & S_ISGID) {
> + bool changing_gid = !gid_eq(inode->i_gid, dir->i_gid);
> +
> inode->i_gid = dir->i_gid;
> - if (S_ISDIR(mode))
> + if (S_ISDIR(mode)) {
> mode |= S_ISGID;
> - } else
> + } else if (((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP))
> + && S_ISREG(mode) && changing_gid
> + && !capable(CAP_FSETID)) {
> + /*
> + * Whoa there! An unprivileged program just
> + * tried to create a new executable with SGID
> + * set in a directory with SGID set that belongs
> + * to a different group. Don't let this program
> + * create a SGID executable that ends up owned
> + * by the wrong group.
> + */
> + mode &= ~S_ISGID;
> + }
> +
> + } else {
> inode->i_gid = current_fsgid();
> + }
> inode->i_mode = mode;
> }
It seems to me like you're leaving inode->i_gid uninitialized when you
take the Woah branch here. Or at least it's not obvious to me. I'd
rather adjust it like this to make it easier to read (patched edited
by hand, sorry for the bad formating) and it also covers the case
where the gid_eq() check was apparently performed on something
uninitialized :
{
inode->i_uid = current_fsuid();
+ inode->i_gid = current_fsgid();
if (dir && dir->i_mode & S_ISGID) {
+ bool changing_gid = !gid_eq(inode->i_gid, dir->i_gid);
+
inode->i_gid = dir->i_gid;
- if (S_ISDIR(mode))
+ if (S_ISDIR(mode)) {
mode |= S_ISGID;
- } else
+ } else if (((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP))
+ && S_ISREG(mode) && changing_gid
+ && !capable(CAP_FSETID)) {
+ /*
+ * Whoa there! An unprivileged program just
+ * tried to create a new executable with SGID
+ * set in a directory with SGID set that belongs
+ * to a different group. Don't let this program
+ * create a SGID executable that ends up owned
+ * by the wrong group.
+ */
+ mode &= ~S_ISGID;
+ }
+ }
inode->i_mode = mode;
}
Please ignore all this if I missed something.
Willy