| From dc6f55e9f8dac4b6479be67c5c9128ad37bb491f Mon Sep 17 00:00:00 2001 |
| From: NeilBrown <neilb@suse.de> |
| Date: Tue, 25 Oct 2011 10:25:49 +1100 |
| Subject: NFS/sunrpc: don't use a credential with extra groups. |
| |
| From: NeilBrown <neilb@suse.de> |
| |
| commit dc6f55e9f8dac4b6479be67c5c9128ad37bb491f upstream. |
| |
| The sunrpc layer keeps a cache of recently used credentials and |
| 'unx_match' is used to find the credential which matches the current |
| process. |
| |
| However unx_match allows a match when the cached credential has extra |
| groups at the end of uc_gids list which are not in the process group list. |
| |
| So if a process with a list of (say) 4 group accesses a file and gains |
| access because of the last group in the list, then another process |
| with the same uid and gid, and a gid list being the first tree of the |
| gids of the original process tries to access the file, it will be |
| granted access even though it shouldn't as the wrong rpc credential |
| will be used. |
| |
| Signed-off-by: NeilBrown <neilb@suse.de> |
| Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> |
| |
| --- |
| net/sunrpc/auth_unix.c | 3 +++ |
| 1 file changed, 3 insertions(+) |
| |
| --- a/net/sunrpc/auth_unix.c |
| +++ b/net/sunrpc/auth_unix.c |
| @@ -129,6 +129,9 @@ unx_match(struct auth_cred *acred, struc |
| for (i = 0; i < groups ; i++) |
| if (cred->uc_gids[i] != GROUP_AT(acred->group_info, i)) |
| return 0; |
| + if (groups < NFS_NGROUPS && |
| + cred->uc_gids[groups] != NOGROUP) |
| + return 0; |
| return 1; |
| } |
| |