Ack: [PATCH Quantal CVE] userns: Changing any namespace id mappings should require privileges
Brad Figg
brad.figg at canonical.com
Thu Jun 27 20:12:57 UTC 2013
On 06/27/2013 12:44 PM, Steve Conklin wrote:
> From: Andy Lutomirski <luto at amacapital.net>
>
> CVE-2013-1979
>
> commit 41c21e351e79004dbb4efa4bc14a53a7e0af38c5 upstream.
>
> Changing uid/gid/projid mappings doesn't change your id within the
> namespace; it reconfigures the namespace. Unprivileged programs should
> *not* be able to write these files. (We're also checking the privileges
> on the wrong task.)
>
> Given the write-once nature of these files and the other security
> checks, this is likely impossible to usefully exploit.
>
> Signed-off-by: Andy Lutomirski <luto at amacapital.net>
> Signed-off-by: Steve Conklin <sconklin at canonical.com>
> ---
> kernel/user_namespace.c | 6 +++---
> 1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c
> index 8660231..34e91b3 100644
> --- a/kernel/user_namespace.c
> +++ b/kernel/user_namespace.c
> @@ -431,10 +431,10 @@ static ssize_t map_write(struct file *file, const char __user *buf,
> if (map->nr_extents != 0)
> goto out;
>
> - /* Require the appropriate privilege CAP_SETUID or CAP_SETGID
> - * over the user namespace in order to set the id mapping.
> + /*
> + * Adjusting namespace settings requires capabilities on the target.
> */
> - if (!ns_capable(ns, cap_setid))
> + if (!file_ns_capable(file, ns, CAP_SYS_ADMIN))
> goto out;
>
> /* Get a buffer */
>
--
Brad Figg brad.figg at canonical.com http://www.canonical.com
More information about the kernel-team
mailing list