[ubuntu-hardened] [PATCH] policycoreutils: preserve mode bits and ownership of /tmp in seunshare

[Eric Paris]

On Thu, Sep 15, 2011 at 1:39 PM, dave w <nullcore at gmail.com> wrote:
> Hi,
>
> This patch addresses a flaw in seunshare.c that allows unprivileged
> users to arbitrarily modify the contents of /tmp.  This bug is further
> described in CVE 2011-1011
> (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1011):
>
> The seunshare_mount function in sandbox/seunshare.c in seunshare in certain
> Red Hat packages of policycoreutils 2.0.83 and earlier in Red Hat
> Enterprise Linux (RHEL) 6 and earlier, and Fedora 14 and earlier, mounts a
> new directory on top of /tmp without assigning root ownership and the
> sticky bit to this new directory, which allows local users to replace or
> delete arbitrary /tmp files, and consequently cause a denial of service or
> possibly gain privileges, by running a setuid application that relies on
> /tmp, as demonstrated by the ksu application
>
> This patch preserves the mode bits, and thus permissions, and
> ownership of the destination directory of the bind mount performed by
> seunshare.  The permission check in verify_mount() was relaxed for
> directories who originally had the sticky bit set, as root ownership
> is required for these to ensure that unprivileged users cannot unlink
> arbitrary files in the newly bind mounted directory.

As Dan pointed out one of us dropped the ball on this.  I have
committed huge amounts of seunshare changes from the Fedora tree to
the upstream git tree.  It should include fixes for this problem as
well.  Your patch is definitely a smaller fix for the problem at hand
as the Fedora tree has largely rewritten how filesystem mounting is
done as might be appropriate for backports to old code if a distro is
not ready to take the plunge into the wild world of new upstream
tools!

-Eric