Bug 8420 - open() call allows setgid bit when user is not in new file's group
Summary: open() call allows setgid bit when user is not in new file's group
Status: CLOSED CODE_FIX
Alias: None
Product: File System
Classification: Unclassified
Component: Other (show other bugs)
Hardware: i386 Linux
: P2 normal
Assignee: fs_other
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2007-05-02 12:56 UTC by David Watson
Modified: 2008-09-26 05:51 UTC (History)
3 users (show)

See Also:
Kernel Version: 2.6.21.1
Subsystem:
Regression: ---
Bisected commit-id:


Attachments
Python script to reproduce (219 bytes, text/x-python)
2007-05-02 12:57 UTC, David Watson
Details

Description David Watson 2007-05-02 12:56:11 UTC
When creating a file, open()/creat() allows the setgid bit to be set
via the mode argument even when, due to the bsdgroups mount option or
the file being created in a setgid directory, the new file's group is
one which the user is not a member of.  The user can then use
ftruncate() and memory-mapped I/O to turn the new file into an
arbitrary binary and thus gain the privileges of this group, since
these operations do not clear the setgid bit.
Comment 1 David Watson 2007-05-02 12:57:26 UTC
Created attachment 11377 [details]
Python script to reproduce

When run in a setgid directory, this should produce a copy of
/usr/bin/id that is setgid to the directory group, regardless of
whether the user belongs to it.  I've verified this on the ext2, ext3,
ReiserFS, XFS, JFS and tmpfs file systems.
Comment 2 Eric Sandeen 2008-09-23 10:33:21 UTC
I believe this was fixed in :

commit 7b82dc0e64e93f430182f36b46b79fcee87d3532
Author: Linus Torvalds <torvalds@woody.linux-foundation.org>
Date:   Tue May 8 20:10:00 2007 -0700

    Remove suid/sgid bits on [f]truncate()

    .. to match what we do on write().  This way, people who write to files
    by using [f]truncate + writable mmap have the same semantics as if they
    were using the write() family of system calls.

    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

If you concur please close?

Thanks,
-Eric
Comment 3 Eugene Teo 2008-09-24 03:27:52 UTC
(In reply to comment #2)
> I believe this was fixed in :
> 
> commit 7b82dc0e64e93f430182f36b46b79fcee87d3532
> Author: Linus Torvalds <torvalds@woody.linux-foundation.org>
> Date:   Tue May 8 20:10:00 2007 -0700
> 
>     Remove suid/sgid bits on [f]truncate()

Thanks Eric. I have tested this. This patch fixes the problem, and prevents the possible disclosure of privileged information.

Thanks, Eugene

Note You need to log in before you can comment on or make changes to this bug.