dgit.raspbian.org Git - linux-4.9.git/commit

author	Eric Biggers <ebiggers@google.com>
	Mon, 18 Sep 2017 18:37:03 +0000 (11:37 -0700)
committer	Raspbian kernel package updater <root@raspbian.org>
	Sun, 8 Oct 2017 01:09:34 +0000 (01:09 +0000)
commit	8aa8e1d628a447ec5d4998c90be05ab40f250b14
tree	5069eaf6f603b920e1317f602f9f5e665fab4749	tree \| snapshot
parent	b3d99caaed86d822db14e7cad5d318470dc0da41	commit \| diff

KEYS: prevent creating a different user's keyrings

commit 237bbd29f7a049d310d907f4b2716a7feef9abf3 upstream.

It was possible for an unprivileged user to create the user and user
session keyrings for another user.  For example:

    sudo -u '#3000' sh -c 'keyctl add keyring _uid.4000 "" @u
                           keyctl add keyring _uid_ses.4000 "" @u
                           sleep 15' &
    sleep 1
    sudo -u '#4000' keyctl describe @u
    sudo -u '#4000' keyctl describe @us

This is problematic because these "fake" keyrings won't have the right
permissions.  In particular, the user who created them first will own
them and will have full access to them via the possessor permissions,
which can be used to compromise the security of a user's keys:

    -4: alswrv-----v------------  3000     0 keyring: _uid.4000
    -5: alswrv-----v------------  3000     0 keyring: _uid_ses.4000

Fix it by marking user and user session keyrings with a flag
KEY_FLAG_UID_KEYRING.  Then, when searching for a user or user session
keyring by name, skip all keyrings that don't have the flag set.

Fixes: 69664cf16af4 ("keys: don't generate user and user session keyrings unless they're accessed")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

include/linux/key.h		diff \| blob \| history
security/keys/internal.h		diff \| blob \| history
security/keys/key.c		diff \| blob \| history
security/keys/keyring.c		diff \| blob \| history
security/keys/process_keys.c		diff \| blob \| history