oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE request: kernel: problem with NFS v4 client handling of MAY_EXEC in nfs_permission

From: Eugene Teo <eugene () redhat com>
Date: Wed, 13 May 2009 17:05:38 +0800
Frank Filz reported: the problem is that permission checking is skipped
if atomic open is possible, but when exec opens a file, it just opens it
O_READONLY which means EXEC permission will not be checked at that time.

This problem is observed by the following sequence (executed as root):

mount -t nfs4 server:/ /mnt4
echo "ls" >/mnt4/foo
chmod 744 /mnt4/foo
su guest -c "mnt4/foo"

linux-2.6.29.3/fs/nfs/dir.c:
1928 int nfs_permission(struct inode *inode, int mask)
1929 {
[...]
1941         switch (inode->i_mode & S_IFMT) {
1942                 case S_IFLNK:
1943                         goto out;
1944                 case S_IFREG:
1945                         /* NFSv4 has atomic_open... */
1946                         if (nfs_server_capable(inode, \
                                      NFS_CAP_ATOMIC_OPEN)
1947                                         && (mask & MAY_OPEN))

We need to make sure that if mask & MAY_EXEC, we force a permission
check, otherwise the script can be executed even if guest has no +x
permission.

1948                                 goto out;
1949                         break;

http://article.gmane.org/gmane.linux.nfs/26592
https://bugzilla.redhat.com/show_bug.cgi?id=500297
http://linux-nfs.org/pipermail/nfsv4/2006-November/005323.html
http://linux-nfs.org/pipermail/nfsv4/2006-November/005313.html
http://bugzilla.linux-nfs.org/show_bug.cgi?id=131

Thanks, Eugene
Previous By Date Next
Previous By Thread Next

Current thread: