public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug libc/18683] New: Linux faccessat implementation can incorrectly ignore AT_EACCESS
@ 2015-07-15 21:11 jld at mozilla dot com
2015-07-24 11:26 ` [Bug libc/18683] " fweimer at redhat dot com
` (6 more replies)
0 siblings, 7 replies; 8+ messages in thread
From: jld at mozilla dot com @ 2015-07-15 21:11 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=18683
Bug ID: 18683
Summary: Linux faccessat implementation can incorrectly ignore
AT_EACCESS
Product: glibc
Version: unspecified
Status: NEW
Severity: normal
Priority: P2
Component: libc
Assignee: unassigned at sourceware dot org
Reporter: jld at mozilla dot com
CC: drepper.fsp at gmail dot com
Target Milestone: ---
The Linux implementation of faccessat() assumes that if __libc_enable_secure is
0 then the process's real and effective capabilities are equal and it can
ignore AT_EACCESS in order to use the faccessat syscall (instead of, as
documented, imperfectly emulating it with fstatat).
But this isn't quite correct: if the process has CAP_SETUID and/or CAP_SETGID
(e.g., if it's run as root) it can start with equal real/effective capabilities
and change them later.
For example, in a program run as uid 0, assuming "/etc/passwd" is a regular
file with mode 0644 owned by uid 0:
seteuid(-2) => 0
faccessat(AT_FDCWD, "/etc/passwd", W_OK, AT_EACCESS) => 0
open("/etc/passwd", O_WRONLY) => -1
I'm not sure how important this bug is (the usual warnings about
time-of-check/time-of-use issues apply to most use cases for faccessat, and
it's currently impossible to implement faccessat correctly on Linux), but I
thought it should at least be on file for if/when someone else runs into it.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug libc/18683] Linux faccessat implementation can incorrectly ignore AT_EACCESS
2015-07-15 21:11 [Bug libc/18683] New: Linux faccessat implementation can incorrectly ignore AT_EACCESS jld at mozilla dot com
@ 2015-07-24 11:26 ` fweimer at redhat dot com
2015-10-13 12:17 ` fweimer at redhat dot com
` (5 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: fweimer at redhat dot com @ 2015-07-24 11:26 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=18683
Florian Weimer <fweimer at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |fweimer at redhat dot com
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug libc/18683] Linux faccessat implementation can incorrectly ignore AT_EACCESS
2015-07-15 21:11 [Bug libc/18683] New: Linux faccessat implementation can incorrectly ignore AT_EACCESS jld at mozilla dot com
2015-07-24 11:26 ` [Bug libc/18683] " fweimer at redhat dot com
@ 2015-10-13 12:17 ` fweimer at redhat dot com
2015-10-13 12:20 ` fweimer at redhat dot com
` (4 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: fweimer at redhat dot com @ 2015-10-13 12:17 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=18683
Florian Weimer <fweimer at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Flags| |security?
--- Comment #1 from Florian Weimer <fweimer at redhat dot com> ---
Interesting. I suspect faccessat should return ENOSYS if AT_EACCESS is
specified. glibc does not know what kind of security modules the kernel has
loaded, so any emulation will be misleading.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug libc/18683] Linux faccessat implementation can incorrectly ignore AT_EACCESS
2015-07-15 21:11 [Bug libc/18683] New: Linux faccessat implementation can incorrectly ignore AT_EACCESS jld at mozilla dot com
2015-07-24 11:26 ` [Bug libc/18683] " fweimer at redhat dot com
2015-10-13 12:17 ` fweimer at redhat dot com
@ 2015-10-13 12:20 ` fweimer at redhat dot com
2020-04-16 12:51 ` fweimer at redhat dot com
` (3 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: fweimer at redhat dot com @ 2015-10-13 12:20 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=18683
--- Comment #2 from Florian Weimer <fweimer at redhat dot com> ---
EINVAL would probably be the better error code.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug libc/18683] Linux faccessat implementation can incorrectly ignore AT_EACCESS
2015-07-15 21:11 [Bug libc/18683] New: Linux faccessat implementation can incorrectly ignore AT_EACCESS jld at mozilla dot com
` (2 preceding siblings ...)
2015-10-13 12:20 ` fweimer at redhat dot com
@ 2020-04-16 12:51 ` fweimer at redhat dot com
2020-04-16 12:56 ` carlos at redhat dot com
` (2 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: fweimer at redhat dot com @ 2020-04-16 12:51 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=18683
--- Comment #3 from Florian Weimer <fweimer at redhat dot com> ---
This is similar to the problem with fchmodat—the system call does not take a
flags argument:
if ((flag == 0 || ((flag & ~AT_EACCESS) == 0 && ! __libc_enable_secure)))
return INLINE_SYSCALL (faccessat, 3, fd, file, mode);
A fix depends will need kernel support.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug libc/18683] Linux faccessat implementation can incorrectly ignore AT_EACCESS
2015-07-15 21:11 [Bug libc/18683] New: Linux faccessat implementation can incorrectly ignore AT_EACCESS jld at mozilla dot com
` (3 preceding siblings ...)
2020-04-16 12:51 ` fweimer at redhat dot com
@ 2020-04-16 12:56 ` carlos at redhat dot com
2020-08-07 16:21 ` fweimer at redhat dot com
2020-08-07 20:08 ` fweimer at redhat dot com
6 siblings, 0 replies; 8+ messages in thread
From: carlos at redhat dot com @ 2020-04-16 12:56 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=18683
Carlos O'Donell <carlos at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
See Also| |https://bugzilla.redhat.com
| |/show_bug.cgi?id=1329691
CC| |carlos at redhat dot com
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug libc/18683] Linux faccessat implementation can incorrectly ignore AT_EACCESS
2015-07-15 21:11 [Bug libc/18683] New: Linux faccessat implementation can incorrectly ignore AT_EACCESS jld at mozilla dot com
` (4 preceding siblings ...)
2020-04-16 12:56 ` carlos at redhat dot com
@ 2020-08-07 16:21 ` fweimer at redhat dot com
2020-08-07 20:08 ` fweimer at redhat dot com
6 siblings, 0 replies; 8+ messages in thread
From: fweimer at redhat dot com @ 2020-08-07 16:21 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=18683
Florian Weimer <fweimer at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Assignee|unassigned at sourceware dot org |fweimer at redhat dot com
Status|NEW |ASSIGNED
--- Comment #4 from Florian Weimer <fweimer at redhat dot com> ---
Linux 5.8 has the required kernel support.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug libc/18683] Linux faccessat implementation can incorrectly ignore AT_EACCESS
2015-07-15 21:11 [Bug libc/18683] New: Linux faccessat implementation can incorrectly ignore AT_EACCESS jld at mozilla dot com
` (5 preceding siblings ...)
2020-08-07 16:21 ` fweimer at redhat dot com
@ 2020-08-07 20:08 ` fweimer at redhat dot com
6 siblings, 0 replies; 8+ messages in thread
From: fweimer at redhat dot com @ 2020-08-07 20:08 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=18683
Florian Weimer <fweimer at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Flags|security? |security-
Resolution|--- |FIXED
Status|ASSIGNED |RESOLVED
Target Milestone|--- |2.33
--- Comment #5 from Florian Weimer <fweimer at redhat dot com> ---
Fixed in glibc 2.33.
I'm marking this as security- until there is demonstrated application impact.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2020-08-07 20:08 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-07-15 21:11 [Bug libc/18683] New: Linux faccessat implementation can incorrectly ignore AT_EACCESS jld at mozilla dot com
2015-07-24 11:26 ` [Bug libc/18683] " fweimer at redhat dot com
2015-10-13 12:17 ` fweimer at redhat dot com
2015-10-13 12:20 ` fweimer at redhat dot com
2020-04-16 12:51 ` fweimer at redhat dot com
2020-04-16 12:56 ` carlos at redhat dot com
2020-08-07 16:21 ` fweimer at redhat dot com
2020-08-07 20:08 ` fweimer at redhat dot com
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).