[H-GEN] Linux 2.4.21-xfs (filesystem) potential security issue
Robert Brockway
robert at timetraveller.org
Mon Jul 7 01:18:02 EDT 2003
[ Humbug *General* list - semi-serious discussions about Humbug and ]
[ Unix-related topics. Posts from non-subscribed addresses will vanish. ]
This just came up on the xfs list. I'm not sure if/when this is going out
to Bugtraq and I suspect there are more than a few boxes out there running
this version of xfs in a multi-user environment.
Anyone using Linux kernel 2.4.21 with the xfs snapshot from oss.sgi.com
has a potential security issue in the filesystem.
By default anyone can chown a file they own to any other user/group
(including root). The probability of an issue coming from this is
relatively low since the operation removes the suid bit when it changes
ownership. I did find one limited situation in which this would be an
issue. This is when permissions are used to restrict execution from all
but a particular user or group:
zen:~$ cat ./testfile
#!/bin/bash
echo "I'm executing!"
zen:~$ ls -l testfile
----r-xr-x 1 robert users 46 Jul 7 00:52 testfile*
zen:~$ ./testfile
bash: ./testfile: Permission denied
zen:~$ chown root ./testfile
zen:~$ ls -l ./testfile
----r-xr-x 1 root users 35 Jul 7 00:57 ./testfile*
zen:~$ ./testfile
I'm executing!
I suppose a secondary application might be to create large files and then
change their ownership so as to cause other users to go over quota
(potentially causing mail bounces, and whatnot).
Fix:
echo 1 > /proc/sys/fs/xfs/restrict_chown
Apparently the default was set incorrectly. No idea if 2.5 series
kernels are effected.
I would recommend fixing this on any box that you control.
Rob
--
Robert Brockway B.Sc. email: robert at timetraveller.org ICQ: 104781119
Linux counter project ID #16440 (http://counter.li.org)
"The earth is but one country and mankind its citizens" -Baha'u'llah
--
* This is list (humbug) general handled by majordomo at lists.humbug.org.au .
* Postings to this list are only accepted from subscribed addresses of
* lists 'general' or 'general-post'. See http://www.humbug.org.au/
More information about the General
mailing list