[PATCH 5/5] userns: Changing any namespace id mappings should require privileges (CVE-2013-1979)
John Johansen
john.johansen at canonical.com
Tue Apr 30 20:59:05 UTC 2013
From: Andy Lutomirski <luto at amacapital.net>
Changing uid/gid/projid mappings doesn't change your id within the
namespace; it reconfigures the namespace. Unprivileged programs should
*not* be able to write these files. (We're also checking the privileges
on the wrong task.)
Given the write-once nature of these files and the other security
checks, this is likely impossible to usefully exploit.
Signed-off-by: Andy Lutomirski <luto at amacapital.net>
(cherry picked from commit 41c21e351e79004dbb4efa4bc14a53a7e0af38c5)
CVE-2013-1979
BugLink: https://launchpad.net/bugs/1174827
Signed-off-by: John Johansen <john.johansen at canonical.com>
---
kernel/user_namespace.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c
index c594802..78ad285 100644
--- a/kernel/user_namespace.c
+++ b/kernel/user_namespace.c
@@ -576,10 +576,10 @@ static ssize_t map_write(struct file *file, const char __user *buf,
if (map->nr_extents != 0)
goto out;
- /* Require the appropriate privilege CAP_SETUID or CAP_SETGID
- * over the user namespace in order to set the id mapping.
+ /*
+ * Adjusting namespace settings requires capabilities on the target.
*/
- if (cap_valid(cap_setid) && !ns_capable(ns, cap_setid))
+ if (cap_valid(cap_setid) && !file_ns_capable(file, ns, CAP_SYS_ADMIN))
goto out;
/* Get a buffer */
--
1.8.1.2
More information about the kernel-team
mailing list