quincy: client: disallow unprivileged users to escalate root privileges#60314
quincy: client: disallow unprivileged users to escalate root privileges#60314yuriw merged 1 commit intoceph:quincyfrom
Conversation
An unprivileged user can `chmod 777` a directory owned by root and gain access. Fix this bug and also add a test case for the same. Signed-off-by: Xiubo Li <xiubli@redhat.com> Signed-off-by: Venky Shankar <vshankar@redhat.com>
|
jenkins retest this please |
|
Reviewed-by: Venky Shankar vshankar@redhat.com https://tracker.ceph.com/projects/cephfs/wiki/Quincy#wip-yuri12-testing-2024-10-16-1152-quincy cc @yuriw |
yuriw
left a comment
There was a problem hiding this comment.
Reviewed-by: Venky Shankar vshankar@redhat.com
|
jenkins test docs |
1 similar comment
|
jenkins test docs |
| * | ||
| * Only allow unprivileged users to clear S_ISUID and S_ISUID. | ||
| */ | ||
| if ((in->mode & (S_ISUID | S_ISGID)) != (stx->stx_mode & (S_ISUID | S_ISGID)) && |
There was a problem hiding this comment.
But this allows any change to SUID or SGID to happen for unprivileged users, not just clearing them like the comment would suggest? Which would then also allow escalating to the user the file is owned (like e.g., root), if it's already an executable.
There was a problem hiding this comment.
@ThomasLamprecht hi Thomas, i concur with you. i am not a filesystem expert, but after reading through the related documents, i found that
When the owner or group of an executable file is changed by an unprivileged user, the
S_ISUIDandS_ISGIDmode bits are cleared.
see chown(2). so the mode value we receive in the FUSE operations has already been processed by the kernel. If SUID/SGID bits should be cleared according to POSIX rules, they will already be cleared in the mode value passed to the fuse driver.
so there are two cases when it comes to modification to SUID/SGID:
SUIDand/orSGIDare the only bits cleared by kernel. we should allow this without even checking if current user is root/owner.- otherwise we enforce the regular checks.
before fb1b72d, we allowed an unprivileged user to add mode bits if these bits do not include S_ISUID or S_ISGID.
after fb1b72d, we only allow an unprivileged user to change these two mode bits as long as they don't mutate other bits in the same operation. as you pointed out, this allows an unprivileged to set the S_ISUID and/or S_ISGID bits if they are the only changed bits in this operation.
will come up with a fix shortly.
BTW, the original commit introducing this change was fb1b72d . we should have referenced it in the backport commit..
There was a problem hiding this comment.
Hey @ThomasLamprecht - thanks for reporting the issue. This is a pretty serious bug and it is straightforward to reproduce.
ls -l xfile
----------. 1 root root 0 Jul 5 09:04 xfile
➜ tmp.y5yfT8L2Jf chmod 6766 xfile
chmod: changing permissions of 'xfile': Operation not permitted
➜ tmp.y5yfT8L2Jf chmod 6000 xfile
➜ tmp.y5yfT8L2Jf ls -l xfile
---S------. 1 root root 0 Jul 5 09:04 xfile
There isn't a test for this in our qa suite too :/
There was a problem hiding this comment.
BTW, the original commit introducing this change was fb1b72d . we should have referenced it in the backport commit..
@tchaikov - the reason for this is that the original issue (which this PR addressed) was raised in the ceph security list initially. The fixes were scrambled as email patches b/w the interested parties. At that point, there wasn't know how on how to test undisclosed security fixes (for which I spent a good amount of time since absolutely no-one seemed to know about it). Unfortunately, with centos8 support getting dropped, we had to do a final quincy point release and this fix had to be merged in the quincy branch first. Yes, this was a wild deviation from our backporting process, but it was something we did as a one time exception.
The fix itself was reviewed however, but, unfortunately, this bug (which @ThomasLamprecht reported) got overlooked during review.
An unprivileged user can
chmod 777a directory owned by root and gain access. Fix this bug and also add a test case for the same.Contribution Guidelines
To sign and title your commits, please refer to Submitting Patches to Ceph.
If you are submitting a fix for a stable branch (e.g. "quincy"), please refer to Submitting Patches to Ceph - Backports for the proper workflow.
When filling out the below checklist, you may click boxes directly in the GitHub web UI. When entering or editing the entire PR message in the GitHub web UI editor, you may also select a checklist item by adding an
xbetween the brackets:[x]. Spaces and capitalization matter when checking off items this way.Checklist
Show available Jenkins commands
jenkins retest this pleasejenkins test classic perfjenkins test crimson perfjenkins test signedjenkins test make checkjenkins test make check arm64jenkins test submodulesjenkins test dashboardjenkins test dashboard cephadmjenkins test apijenkins test docsjenkins render docsjenkins test ceph-volume alljenkins test ceph-volume toxjenkins test windowsjenkins test rook e2e