| From security-bounces@linux.kernel.org Tue Dec 20 07:32:55 2005 |
| Date: Tue, 20 Dec 2005 16:29:05 +0100 |
| From: Marcus Meissner <meissner@suse.de> |
| To: Trond.Myklebust@netapp.com |
| Message-ID: <20051220152905.GA28537@suse.de> |
| Cc: Chris L Mason <mason@suse.de>, Andreas Gruenbacher <agruen@suse.de> |
| Subject: setting ACLs on readonly mounted NFS filesystems (CVE-2005-3623) |
| |
| From: Andreas Gruenbacher <agruen@suse.de> |
| |
| We must check for MAY_SATTR before setting acls, which includes |
| checking for read-only exports: the lower-level setxattr operation |
| that eventually sets the acl cannot check export-level restrictions. |
| |
| Bug reported by Martin Walter <mawa@uni-freiburg.de>. |
| |
| Signed-off-by: Andreas Gruenbacher <agruen@suse.de> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> |
| |
| --- |
| fs/nfsd/nfs2acl.c | 2 +- |
| fs/nfsd/nfs3acl.c | 2 +- |
| 2 files changed, 2 insertions(+), 2 deletions(-) |
| |
| --- linux-2.6.14.4.orig/fs/nfsd/nfs2acl.c |
| +++ linux-2.6.14.4/fs/nfsd/nfs2acl.c |
| @@ -107,7 +107,7 @@ static int nfsacld_proc_setacl(struct sv |
| dprintk("nfsd: SETACL(2acl) %s\n", SVCFH_fmt(&argp->fh)); |
| |
| fh = fh_copy(&resp->fh, &argp->fh); |
| - nfserr = fh_verify(rqstp, &resp->fh, 0, MAY_NOP); |
| + nfserr = fh_verify(rqstp, &resp->fh, 0, MAY_SATTR); |
| |
| if (!nfserr) { |
| nfserr = nfserrno( nfsd_set_posix_acl( |
| --- linux-2.6.14.4.orig/fs/nfsd/nfs3acl.c |
| +++ linux-2.6.14.4/fs/nfsd/nfs3acl.c |
| @@ -101,7 +101,7 @@ static int nfsd3_proc_setacl(struct svc_ |
| int nfserr = 0; |
| |
| fh = fh_copy(&resp->fh, &argp->fh); |
| - nfserr = fh_verify(rqstp, &resp->fh, 0, MAY_NOP); |
| + nfserr = fh_verify(rqstp, &resp->fh, 0, MAY_SATTR); |
| |
| if (!nfserr) { |
| nfserr = nfserrno( nfsd_set_posix_acl( |