ACK: [PATCH][SRU][T/X/A/B/C] Fix up non-directory creation in SGID directories

Stefan Bader stefan.bader at canonical.com
Thu Jul 19 12:19:17 UTC 2018 

On 16.07.2018 20:50, Tyler Hicks wrote:
> From: Linus Torvalds <torvalds at linux-foundation.org>
> 
> BugLink: https://launchpad.net/bugs/1779923
> CVE-2018-13405
> 
> sgid directories have special semantics, making newly created files in
> the directory belong to the group of the directory, and newly created
> subdirectories will also become sgid.  This is historically used for
> group-shared directories.
> 
> But group directories writable by non-group members should not imply
> that such non-group members can magically join the group, so make sure
> to clear the sgid bit on non-directories for non-members (but remember
> that sgid without group execute means "mandatory locking", just to
> confuse things even more).
> 
> Reported-by: Jann Horn <jannh at google.com>
> Cc: Andy Lutomirski <luto at kernel.org>
> Cc: Al Viro <viro at zeniv.linux.org.uk>
> Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
> (cherry picked from commit 0fa3ecd87848c9c93c2c828ef4c3a8ca36ce46c7)
> Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
Acked-by: Stefan Bader <stefan.bader at canonical.com>
> ---
>  fs/inode.c | 6 ++++++
>  1 file changed, 6 insertions(+)
> 
> diff --git a/fs/inode.c b/fs/inode.c
> index 5c1138e9cac0..797b4cb3d20b 100644
> --- a/fs/inode.c
> +++ b/fs/inode.c
> @@ -2008,8 +2008,14 @@ void inode_init_owner(struct inode *inode, const struct inode *dir,
>  	inode->i_uid = current_fsuid();
>  	if (dir && dir->i_mode & S_ISGID) {
>  		inode->i_gid = dir->i_gid;
> +
> +		/* Directories are special, and always inherit S_ISGID */
>  		if (S_ISDIR(mode))
>  			mode |= S_ISGID;
> +		else if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP) &&
> +			 !in_group_p(inode->i_gid) &&
> +			 !capable_wrt_inode_uidgid(dir, CAP_FSETID))
> +			mode &= ~S_ISGID;
>  	} else
>  		inode->i_gid = current_fsgid();
>  	inode->i_mode = mode;
> 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20180719/04bdc0f2/attachment.sig>

More information about the kernel-team mailing list