ACK: [PATCH Quantal CVE] userns: Changing any namespace id mappings should require privileges
Luis Henriques
luis.henriques at canonical.com
Fri Jun 28 09:59:49 UTC 2013
Steve Conklin <sconklin at canonical.com> writes:
> From: Andy Lutomirski <luto at amacapital.net>
>
> CVE-2013-1979
>
> commit 41c21e351e79004dbb4efa4bc14a53a7e0af38c5 upstream.
>
> Changing uid/gid/projid mappings doesn't change your id within the
> namespace; it reconfigures the namespace. Unprivileged programs should
> *not* be able to write these files. (We're also checking the privileges
> on the wrong task.)
>
> Given the write-once nature of these files and the other security
> checks, this is likely impossible to usefully exploit.
>
> Signed-off-by: Andy Lutomirski <luto at amacapital.net>
> Signed-off-by: Steve Conklin <sconklin at canonical.com>
> ---
> kernel/user_namespace.c | 6 +++---
> 1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c
> index 8660231..34e91b3 100644
> --- a/kernel/user_namespace.c
> +++ b/kernel/user_namespace.c
> @@ -431,10 +431,10 @@ static ssize_t map_write(struct file *file, const char __user *buf,
> if (map->nr_extents != 0)
> goto out;
>
> - /* Require the appropriate privilege CAP_SETUID or CAP_SETGID
> - * over the user namespace in order to set the id mapping.
> + /*
> + * Adjusting namespace settings requires capabilities on the target.
> */
> - if (!ns_capable(ns, cap_setid))
> + if (!file_ns_capable(file, ns, CAP_SYS_ADMIN))
> goto out;
>
> /* Get a buffer */
Although this is an additional fix suggested by sarnold (the actual
CVE is already fixed in Quantal), it provides additional hardening to
the kernel. The backport seems correct to me.
Note however that the Q kernel doesn't seem to activate this code
(USER_NS isn't set).
Also, the buglink is missing in the commit text:
BugLink: http://bugs.launchpad.net/bugs/1174827
Cheers,
--
Luis
More information about the kernel-team
mailing list