Dear Linux kernel security team,
I am writing to report a security vulnerability related to cross-filesystem permissions management that I have discovered. This issue appears to impact filesystems like EXT4 and XFS, and it could potentially lead to unauthorized access of sensitive data during the migration of files between different filesystems with varying permission models.
The vulnerability arises when a file with Access Control List (ACL) restrictions, created in a file system that supports ACL (e.g., EXT4 or XFS), is moved or copied to a file system that does not support ACL (e.g., FAT32 or NTFS). During this migration, the ACLs are lost, and the file's permissions fall back to default settings on the target file system, which may allow unauthorized users to access the file.
In certain scenarios, this could lead to privilege escalation or unauthorized access to sensitive files. The issue is especially critical in shared directories or network file systems (e.g., NFS), where users with limited permissions could bypass ACL protections by moving files to other file systems.
The vulnerability occurs when a file with POSIX ACLs (set on EXT4 or XFS) is moved or copied to a file system that uses Windows ACLs (such as NTFS). In this case, the POSIX ACLs are not preserved during the migration, and the file’s permissions are reset to default or more lenient permissions on the target file system. As a result, the file may become accessible to unauthorized users or attackers, bypassing the original ACL restrictions.
Here is a summary of how to reproduce the issue:
1. On an EXT4 or XFS file system, create a file with a specific POSIX ACL that denies access to certain users (e.g., user2).
2. Attempt to move or copy this file to an NTFS file system, which uses Windows ACLs.
3. Upon migration, the POSIX ACL is discarded, and the file’s permissions are reset to the default permissions of the NTFS file system (usually wide-open access).
4. The file can now be accessed by users who were previously restricted under POSIX ACL, allowing unauthorized access.
This issue is critical when files are transferred between file systems with incompatible ACL implementations, particularly in multi-user or shared environments. I have tested this behavior on multiple systems, and it is clear that moving files between file systems with different ACL models leads to unintended permission changes.
Thank you for your attention to this matter. I look forward to your feedback and any further steps in addressing this issue.
Thank you for your attention to this matter. I look forward to your feedback and any further steps in addressing this issue.
Best regards,
Yilin Li
Shandong University
Attachment:
figure.jpg
Description: JPEG image
