The Samba-Bugzilla – Attachment 7410 Details for
Bug 8821
mount.cifs arbitary file identification as root
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patch -- mount.cifs: don't enable CAP_DAC_READ_SEARCH before chdir for non-root users
0001-mount.cifs-don-t-enable-CAP_DAC_READ_SEARCH-before-c.patch (text/plain), 1.71 KB, created by
Jeff Layton
on 2012-03-28 15:26:58 UTC
(
hide
)
Description:
patch -- mount.cifs: don't enable CAP_DAC_READ_SEARCH before chdir for non-root users
Filename:
MIME Type:
Creator:
Jeff Layton
Created:
2012-03-28 15:26:58 UTC
Size:
1.71 KB
patch
obsolete
>From 0522ef4ec04b0a24cd8adc660cfc24f384489c18 Mon Sep 17 00:00:00 2001 >From: Jeff Layton <jlayton@samba.org> >Date: Wed, 28 Mar 2012 11:18:59 -0400 >Subject: [PATCH] mount.cifs: don't enable CAP_DAC_READ_SEARCH before chdir > for non-root users > >An attacker could use the fact that we chdir into the mountpoint early >with elevated privileges in order to gather information about >dentries that live in directories to which he has no access. > >In order to prevent that, don't reacquire CAP_DAC_READ_SEARCH prior to >doing the chdir() if the real uid is non-root. This should prevent any >information disclosure when mount.cifs is built with support for >capabilities, but distros that don't have that will still be vulnerable >and should probably not install mount.cifs setuid root. > >Signed-off-by: Jeff Layton <jlayton@samba.org> >--- > mount.cifs.c | 18 ++++++++++++------ > 1 files changed, 12 insertions(+), 6 deletions(-) > >diff --git a/mount.cifs.c b/mount.cifs.c >index c0aea35..9aa4a73 100644 >--- a/mount.cifs.c >+++ b/mount.cifs.c >@@ -1953,9 +1953,12 @@ int main(int argc, char **argv) > mountpoint = argv[optind + 1]; > > /* chdir into mountpoint as soon as possible */ >- rc = toggle_dac_capability(0, 1); >- if (rc) >- return rc; >+ if (!getuid()) { >+ rc = toggle_dac_capability(0, 1); >+ if (rc) >+ return rc; >+ } >+ > rc = chdir(mountpoint); > if (rc) { > fprintf(stderr, "Couldn't chdir to %s: %s\n", mountpoint, >@@ -1971,9 +1974,12 @@ int main(int argc, char **argv) > rc = EX_SYSERR; > goto mount_exit; > } >- rc = toggle_dac_capability(0, 0); >- if (rc) >- return rc; >+ >+ if (!getuid()) { >+ rc = toggle_dac_capability(0, 0); >+ if (rc) >+ return rc; >+ } > > /* > * mount.cifs does privilege separation. Most of the code to handle >-- >1.7.7.6 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=7410">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 8821
:
7410
|
7414
|
7416