oss-sec mailing list archives
Re: CVE request: kernel: problem with NFS v4 client handling of MAY_EXEC in nfs_permission
From: "Steven M. Christey" <coley () linus mitre org>
Date: Thu, 21 May 2009 19:37:53 -0400 (EDT)
On Wed, 13 May 2009, Eugene Teo wrote:
Frank Filz reported: the problem is that permission checking is skipped if atomic open is possible, but when exec opens a file, it just opens it O_READONLY which means EXEC permission will not be checked at that time.
====================================================== Name: CVE-2009-1630 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1630 Reference: MLIST:[linux-nfs] 20090509 [NFS] [PATCH] nfs: Fix NFS v4 client handling of MAY_EXEC in nfs_permission. Reference: URL:http://article.gmane.org/gmane.linux.nfs/26592 Reference: MLIST:[nfsv4] 20061116 Status of execute permissions in NFSv4 ACLs ? Reference: URL:http://linux-nfs.org/pipermail/nfsv4/2006-November/005313.html Reference: MLIST:[nfsv4] 20061117 [Patch] Re: Status of execute permissions in NFSv4 ACLs ? Reference: URL:http://linux-nfs.org/pipermail/nfsv4/2006-November/005323.html Reference: MLIST:[oss-security] 20090513 CVE request: kernel: problem with NFS v4 client handling of MAY_EXEC in nfs_permission Reference: URL:http://www.openwall.com/lists/oss-security/2009/05/13/2 Reference: CONFIRM:http://bugzilla.linux-nfs.org/show_bug.cgi?id=131 Reference: CONFIRM:https://bugzilla.redhat.com/show_bug.cgi?id=500297 Reference: BID:34934 Reference: URL:http://www.securityfocus.com/bid/34934 The nfs_permission function in fs/nfs/dir.c in the NFS client implementation in the Linux kernel 2.6.29.3 and earlier, when atomic_open is available, does not check execute (aka EXEC or MAY_EXEC) permission bits, which allows local users to bypass permissions and execute files, as demonstrated by files on an NFSv4 fileserver.
Current thread:
- CVE request: kernel: problem with NFS v4 client handling of MAY_EXEC in nfs_permission Eugene Teo (May 13)
- Re: CVE request: kernel: problem with NFS v4 client handling of MAY_EXEC in nfs_permission Eugene Teo (May 19)
- Re: CVE request: kernel: problem with NFS v4 client handling of MAY_EXEC in nfs_permission Steven M. Christey (May 21)