[Bug libc/18683] New: Linux faccessat implementation can incorrectly ignore AT_EACCESS

[Bug libc/18683] New: Linux faccessat implementation can incorrectly ignore AT_EACCESS

[jld at mozilla dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=18683

            Bug ID: 18683
           Summary: Linux faccessat implementation can incorrectly ignore
                    AT_EACCESS
           Product: glibc
           Version: unspecified
            Status: NEW
          Severity: normal
          Priority: P2
         Component: libc
          Assignee: unassigned at sourceware dot org
          Reporter: jld at mozilla dot com
                CC: drepper.fsp at gmail dot com
  Target Milestone: ---

The Linux implementation of faccessat() assumes that if __libc_enable_secure is
0 then the process's real and effective capabilities are equal and it can
ignore AT_EACCESS in order to use the faccessat syscall (instead of, as
documented, imperfectly emulating it with fstatat).

But this isn't quite correct: if the process has CAP_SETUID and/or CAP_SETGID
(e.g., if it's run as root) it can start with equal real/effective capabilities
and change them later.

For example, in a program run as uid 0, assuming "/etc/passwd" is a regular
file with mode 0644 owned by uid 0:

seteuid(-2) => 0
faccessat(AT_FDCWD, "/etc/passwd", W_OK, AT_EACCESS) => 0
open("/etc/passwd", O_WRONLY) => -1

I'm not sure how important this bug is (the usual warnings about
time-of-check/time-of-use issues apply to most use cases for faccessat, and
it's currently impossible to implement faccessat correctly on Linux), but I
thought it should at least be on file for if/when someone else runs into it.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/18683] Linux faccessat implementation can incorrectly ignore AT_EACCESS

[fweimer at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=18683

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |fweimer at redhat dot com

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/18683] Linux faccessat implementation can incorrectly ignore AT_EACCESS

[fweimer at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=18683

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
              Flags|                            |security?

--- Comment #1 from Florian Weimer <fweimer at redhat dot com> ---
Interesting.  I suspect faccessat should return ENOSYS if AT_EACCESS is
specified.  glibc does not know what kind of security modules the kernel has
loaded, so any emulation will be misleading.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/18683] Linux faccessat implementation can incorrectly ignore AT_EACCESS

[fweimer at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=18683

--- Comment #2 from Florian Weimer <fweimer at redhat dot com> ---
EINVAL would probably be the better error code.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/18683] Linux faccessat implementation can incorrectly ignore AT_EACCESS

[fweimer at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=18683

--- Comment #3 from Florian Weimer <fweimer at redhat dot com> ---
This is similar to the problem with fchmodat—the system call does not take a
flags argument:

  if ((flag == 0 || ((flag & ~AT_EACCESS) == 0 && ! __libc_enable_secure)))
    return INLINE_SYSCALL (faccessat, 3, fd, file, mode);

A fix depends will need kernel support.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/18683] Linux faccessat implementation can incorrectly ignore AT_EACCESS

[carlos at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=18683

Carlos O'Donell <carlos at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           See Also|                            |https://bugzilla.redhat.com
                   |                            |/show_bug.cgi?id=1329691
                 CC|                            |carlos at redhat dot com

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/18683] Linux faccessat implementation can incorrectly ignore AT_EACCESS

[fweimer at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=18683

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Assignee|unassigned at sourceware dot org   |fweimer at redhat dot com
             Status|NEW                         |ASSIGNED

--- Comment #4 from Florian Weimer <fweimer at redhat dot com> ---
Linux 5.8 has the required kernel support.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/18683] Linux faccessat implementation can incorrectly ignore AT_EACCESS

[fweimer at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=18683

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
              Flags|security?                   |security-
         Resolution|---                         |FIXED
             Status|ASSIGNED                    |RESOLVED
   Target Milestone|---                         |2.33

--- Comment #5 from Florian Weimer <fweimer at redhat dot com> ---
Fixed in glibc 2.33.

I'm marking this as security- until there is demonstrated application impact.

-- 
You are receiving this mail because:
You are on the CC list for the bug.