[trusty CVE-2016-7097 1/1] posix_acl: Clear SGID bit when setting file permissions

Thadeu Lima de Souza Cascardo cascardo at canonical.com
Wed Sep 6 13:40:39 UTC 2017


On Wed, Sep 06, 2017 at 10:54:53AM +0200, Juerg Haefliger wrote:
> From: Jan Kara <jack at suse.cz>
> 
> commit 073931017b49d9458aa351605b43a7e34598caef upstream.
> 
> When file permissions are modified via chmod(2) and the user is not in
> the owning group or capable of CAP_FSETID, the setgid bit is cleared in
> inode_change_ok().  Setting a POSIX ACL via setxattr(2) sets the file
> permissions as well as the new ACL, but doesn't clear the setgid bit in
> a similar way; this allows to bypass the check in chmod(2).  Fix that.
> 
> References: CVE-2016-7097
> Reviewed-by: Christoph Hellwig <hch at lst.de>
> Reviewed-by: Jeff Layton <jlayton at redhat.com>
> Signed-off-by: Jan Kara <jack at suse.cz>
> Signed-off-by: Andreas Gruenbacher <agruenba at redhat.com>
> [bwh: Backported to 3.16:
>  - Drop changes to orangefs
>  - Adjust context
>  - Update ext3 as well]
> Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
> 
> CVE-2016-7097
> 
> [juergh: Backported to 3.13:
>  - Drop changes to ceph
>  - Use capable() instead of capable_wrt_inode_uidgid()

We have capable_wrt_inode_uidgid in trusty. Why didn't you use it?

Cascardo.




More information about the kernel-team mailing list