Bug 8420
| Summary: | open() call allows setgid bit when user is not in new file's group | ||
|---|---|---|---|
| Product: | File System | Reporter: | David Watson (baikie) |
| Component: | Other | Assignee: | fs_other |
| Status: | CLOSED CODE_FIX | ||
| Severity: | normal | CC: | eugeneteo, randy.dunlap, sandeen |
| Priority: | P2 | ||
| Hardware: | i386 | ||
| OS: | Linux | ||
| Kernel Version: | 2.6.21.1 | Subsystem: | |
| Regression: | --- | Bisected commit-id: | |
| Attachments: | Python script to reproduce | ||
|
Description
David Watson
2007-05-02 12:56:11 UTC
Created attachment 11377 [details]
Python script to reproduce
When run in a setgid directory, this should produce a copy of
/usr/bin/id that is setgid to the directory group, regardless of
whether the user belongs to it. I've verified this on the ext2, ext3,
ReiserFS, XFS, JFS and tmpfs file systems.
I believe this was fixed in : commit 7b82dc0e64e93f430182f36b46b79fcee87d3532 Author: Linus Torvalds <torvalds@woody.linux-foundation.org> Date: Tue May 8 20:10:00 2007 -0700 Remove suid/sgid bits on [f]truncate() .. to match what we do on write(). This way, people who write to files by using [f]truncate + writable mmap have the same semantics as if they were using the write() family of system calls. Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> If you concur please close? Thanks, -Eric (In reply to comment #2) > I believe this was fixed in : > > commit 7b82dc0e64e93f430182f36b46b79fcee87d3532 > Author: Linus Torvalds <torvalds@woody.linux-foundation.org> > Date: Tue May 8 20:10:00 2007 -0700 > > Remove suid/sgid bits on [f]truncate() Thanks Eric. I have tested this. This patch fixes the problem, and prevents the possible disclosure of privileged information. Thanks, Eugene |