-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/16/2011 01:42 AM, Guido Trentalancia wrote: > Hello Dave, thanks for the explanation > > On Thu, 2011-09-15 at 17:07 -0400, dave w wrote: >> On Thu, Sep 15, 2011 at 4:07 PM, Guido Trentalancia >> <guido@xxxxxxxxxxxxxxxx> wrote: >>> Hello Dave. >>> >>> On Thu, 2011-09-15 at 13:39 -0400, dave w wrote: >>>> Hi, >>>> >>>> This patch addresses a flaw in seunshare.c that allows >>>> unprivileged users to arbitrarily modify the contents of >>>> /tmp. This bug is further described in CVE 2011-1011 >>>> (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1011): >>> >>> >>>> seunshare should not be installed by default and, even if it still >>> needed to be installed by default, its setuid bit should be >>> carefully re-evaluated in my opinion. >>> >> >> Perhaps, but distros that install seunshare at present will be >> made safer with the addition of a patch which eliminates an >> attack vector to a privilege escalation. > > So the question now is: CVE-2011-1011 is dated 20110214, how comes > this is trying to get sorted out only now for upstream ? > >>> In any case, good practice says nothing should ever be allowed >>> to mount under /tmp with suid/exec flags (use noexec,nosuid >>> options in fstab). >>> >>> That said, have you tested the patch already ? Is it effective >>> ? >>> >> >> Yes, the patch has been effective and with it applied, >> unprivileged users cannot delete files other than their own from >> /tmp, which is the expected behavior in a directory with the >> sticky bit set owned by the superuser. >> >>> Thanks. >>> >>> Guido >>> >>>> The seunshare_mount function in sandbox/seunshare.c in >>>> seunshare in certain Red Hat packages of policycoreutils >>>> 2.0.83 and earlier in Red Hat Enterprise Linux (RHEL) 6 and >>>> earlier, and Fedora 14 and earlier, mounts a new directory on >>>> top of /tmp without assigning root ownership and the sticky >>>> bit to this new directory, which allows local users to >>>> replace or delete arbitrary /tmp files, and consequently >>>> cause a denial of service or possibly gain privileges, by >>>> running a setuid application that relies on /tmp, as >>>> demonstrated by the ksu application > > What happened exactly for upstream since the CVE was initially > released ? > >>>> This patch preserves the mode bits, and thus permissions, >>>> and ownership of the destination directory of the bind mount >>>> performed by seunshare. The permission check in >>>> verify_mount() was relaxed for directories who originally had >>>> the sticky bit set, as root ownership is required for these >>>> to ensure that unprivileged users cannot unlink arbitrary >>>> files in the newly bind mounted directory. > > Is it the first time ever that you post a patch to try sorting out > the same issue ? > >>>> Thanks, David > > Thanks, Guido. > > > -- This message was distributed to subscribers of the selinux > mailing list. If you no longer wish to subscribe, send mail to > majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" > without quotes as the message. > > We fixed it in Fedora and RHEL and either we dropped the ball or upstream did on getting the fix into the upstream policy. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk5zZO0ACgkQrlYvE4MpobPnNgCbBygZIFPkggN4ybPIdBxMNvNN WsgAnjfLv+1VekZqP4HBv19lHXIUz1Z+ =w6H4 -----END PGP SIGNATURE----- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
