oss-sec mailing list archives
CVE request: kernel: problem with NFS v4 client handling of MAY_EXEC in nfs_permission
From: Eugene Teo <eugene () redhat com>
Date: Wed, 13 May 2009 17:05:38 +0800
Frank Filz reported: the problem is that permission checking is skipped if atomic open is possible, but when exec opens a file, it just opens it O_READONLY which means EXEC permission will not be checked at that time. This problem is observed by the following sequence (executed as root): mount -t nfs4 server:/ /mnt4 echo "ls" >/mnt4/foo chmod 744 /mnt4/foo su guest -c "mnt4/foo" linux-2.6.29.3/fs/nfs/dir.c: 1928 int nfs_permission(struct inode *inode, int mask) 1929 { [...] 1941 switch (inode->i_mode & S_IFMT) { 1942 case S_IFLNK: 1943 goto out; 1944 case S_IFREG: 1945 /* NFSv4 has atomic_open... */ 1946 if (nfs_server_capable(inode, \ NFS_CAP_ATOMIC_OPEN) 1947 && (mask & MAY_OPEN)) We need to make sure that if mask & MAY_EXEC, we force a permission check, otherwise the script can be executed even if guest has no +x permission. 1948 goto out; 1949 break; http://article.gmane.org/gmane.linux.nfs/26592 https://bugzilla.redhat.com/show_bug.cgi?id=500297 http://linux-nfs.org/pipermail/nfsv4/2006-November/005323.html http://linux-nfs.org/pipermail/nfsv4/2006-November/005313.html http://bugzilla.linux-nfs.org/show_bug.cgi?id=131 Thanks, Eugene
Current thread:
- CVE request: kernel: problem with NFS v4 client handling of MAY_EXEC in nfs_permission Eugene Teo (May 13)
- Re: CVE request: kernel: problem with NFS v4 client handling of MAY_EXEC in nfs_permission Eugene Teo (May 19)
- Re: CVE request: kernel: problem with NFS v4 client handling of MAY_EXEC in nfs_permission Steven M. Christey (May 21)