oss-sec mailing list archives
Re: Re: ecryptfs headsup
From: Kurt Seifried <kseifried () redhat com>
Date: Wed, 11 Jul 2012 17:27:41 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 07/11/2012 10:48 AM, Kurt Seifried wrote:
Hi Tyler, et al.-I don't have any objections at all with adding nosuid and nodev to the hardcoded mount.ecryptfs_private options.Actually, I seem to recall this coming up recently before. I can't find the bug or email thread (must have been IRC), but I recall offering to commit, test, and release that change immediately. I believe I was asked to wait to do that until a CVE had been published... I can't find any record of that conversation though, so that's just from memory.Shall I go ahead and commit/test/release that now, Tyler?So it sounds like a non privileged user on an Ubuntu machine can insert a USB stick/etc with a file system that gets automatically mounted, said file system can contain setuid root binaries for example which the user can then execute, elevating privileges?
Please use CVE-2012-3409 for the ecryptfs mount.ecryptfs_private which allows setuid and dev enabled filesystems, this affects multiple Linux vendors. Just to confirm: this only affects systems with a setuid mount.ecryptfs_private? - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJP/gvtAAoJEBYNRVNeJnmTRdgP/3TJHs/zz066JsOQIvBCjWMM hFGZjmDIjPdCbUtYioX/6aTR7NTUGdoLOlI9FwVVgBQhzEzdy/hoeD4fQKNje02a JFOTg1v/PhlqYhEDZxgMLiaY5yv4uQeDZk+/ZlFfOGEQhRfZXtdB3o1u8U5L1u7f Yo/ncDV+1+PCtPTtFQIp9/x//7mF2r0V5/ibvesCBmDicFmkLkmloBQFLdvlJeW5 muxhY1YYuu777CpWiYwY+59ZvqaeUODBUbGDwk5jQ0reDjwSafB8vz+DqKMbDlyT HNYJXASGCdOlxMgM0ic7pR0q9eWYo6YzhCoBG7OM0c+2tqFqeNDAKNa+HKxZFPkj 1kQL4Rq+nx6l8gaPFNFu+Wj36ryUvN5HXVlVS3F2puoHdPM1kAwE9D59hwT27e8P 2UF1JFRLLnjWAk8MXRPMOXSDh3Gd05P8xw+2/032KJmSaROfujt2kz1/wCHhY0ai gpc1oD4lf2SVC/9EM3vPx81MSYQWh1n+m8BqqT2TBGyZeSPXicW81QmPhyusJbp5 OMSBHy6gim2tSHZGK3+2HQNyB71vFDPyd78pa/mlCxcs5pkpR0uVTZHlwZvZclbB GGarAoNXBFbp4g120FE/MQp74Zi+0xOkt3MdMbvN7OOSOJk3Bi949oii+TDDK/D2 P10aNjcPiGhwoo7CfsmY =PPfw -----END PGP SIGNATURE-----
Current thread:
- ecryptfs headsup Sebastian Krahmer (Jul 10)
- Re: ecryptfs headsup Kurt Seifried (Jul 10)
- Re: ecryptfs headsup Sebastian Krahmer (Jul 10)
- Re: ecryptfs headsup Marcus Meissner (Jul 10)
- Re: ecryptfs headsup Dan Rosenberg (Jul 10)
- Re: ecryptfs headsup Tyler Hicks (Jul 10)
- Re: ecryptfs headsup Tyler Hicks (Jul 10)
- Re: ecryptfs headsup Dustin Kirkland (Jul 11)
- Re: ecryptfs headsup Kurt Seifried (Jul 11)
- Re: Re: ecryptfs headsup Tyler Hicks (Jul 11)
- Re: Re: ecryptfs headsup Kurt Seifried (Jul 11)
- Re: Re: ecryptfs headsup Tyler Hicks (Jul 11)
- Re: Re: ecryptfs headsup Dustin Kirkland (Jul 13)
- Re: Re: ecryptfs headsup Jason A. Donenfeld (Jul 13)
- Re: Re: ecryptfs headsup Jason A. Donenfeld (Jul 14)
- Re: Re: ecryptfs headsup Sebastian Krahmer (Jul 16)
- Re: Re: ecryptfs headsup Justin Ossevoort (Jul 16)
- Re: ecryptfs headsup Sebastian Krahmer (Jul 10)
- Re: ecryptfs headsup Kurt Seifried (Jul 10)