From: Xiubo Li Date: Wed, 3 Apr 2024 11:02:08 +0000 (+0800) Subject: [PATCH] client: disallow unprivileged users to escalate root privileges X-Git-Tag: archive/raspbian/14.2.21-1+rpi1+deb11u2^2~4 X-Git-Url: https://dgit.raspbian.org/%22http://www.example.com/cgi/%22/%22http:/www.example.com/cgi/%22?a=commitdiff_plain;h=c477e23e66ec3b89513e4ea4dcc715f8373e2367;p=ceph.git [PATCH] client: disallow unprivileged users to escalate root privileges An unprivileged user can `chmod 777` a directory owned by root and gain access. Fix this bug and also add a test case for the same. Signed-off-by: Xiubo Li Signed-off-by: Venky Shankar origin: backport, https://github.com/ceph/ceph/commit/b6d85b595ea7c9e0fca10d5e77a48102110fe22c bug-github-pull: https://github.com/ceph/ceph/pull/60314 bug: https://github.com/ceph/ceph/security/advisories/GHSA-89hm-qq33-2fjm bug-debian: https://bugs.debian.org/1108410 Gbp-Pq: Name CVE-2025-52555-1.patch --- diff --git a/src/client/Client.cc b/src/client/Client.cc index 22bd81dbb..a4eb50547 100755 --- a/src/client/Client.cc +++ b/src/client/Client.cc @@ -5448,7 +5448,22 @@ int Client::may_setattr(Inode *in, struct ceph_statx *stx, int mask, } if (mask & CEPH_SETATTR_MODE) { - if (perms.uid() != 0 && perms.uid() != in->uid) + bool allowed = false; + /* + * Currently the kernel fuse and libfuse code is buggy and + * won't pass the ATTR_KILL_SUID/ATTR_KILL_SGID to ceph-fuse. + * But will just set the ATTR_MODE and at the same time by + * clearing the suid/sgid bits. + * + * Only allow unprivileged users to clear S_ISUID and S_ISUID. + */ + if ((in->mode & (S_ISUID | S_ISGID)) != (stx->stx_mode & (S_ISUID | S_ISGID)) && + (in->mode & ~(S_ISUID | S_ISGID)) == (stx->stx_mode & ~(S_ISUID | S_ISGID))) { + allowed = true; + } + uint32_t m = ~stx->stx_mode & in->mode; // mode bits removed + ldout(cct, 20) << __func__ << " " << *in << " = " << hex << m << dec << dendl; + if (perms.uid() != 0 && perms.uid() != in->uid && !allowed) goto out; gid_t i_gid = (mask & CEPH_SETATTR_GID) ? stx->stx_gid : in->gid;