linux-stable.git/include/linux/posix_acl.h, branch v3.2.102 Linux kernel stable tree posix_acl: Clear SGID bit when setting file permissions 2016-11-20T01:01:44+00:00 Jan Kara jack@suse.cz 2016-09-19T15:39:09+00:00 a06d3be52bce98746341cfb290203603fd028290 commit 073931017b49d9458aa351605b43a7e34598caef upstream. When file permissions are modified via chmod(2) and the user is not in the owning group or capable of CAP_FSETID, the setgid bit is cleared in inode_change_ok(). Setting a POSIX ACL via setxattr(2) sets the file permissions as well as the new ACL, but doesn't clear the setgid bit in a similar way; this allows to bypass the check in chmod(2). Fix that. References: CVE-2016-7097 Reviewed-by: Christoph Hellwig <hch@lst.de> Reviewed-by: Jeff Layton <jlayton@redhat.com> Signed-off-by: Jan Kara <jack@suse.cz> Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com> [bwh: Backported to 3.2: - Drop changes to ceph, f2fs, hfsplus, orangefs - Use capable() instead of capable_wrt_inode_uidgid() - Update ext3 and generic_acl.c as well - In gfs2, jfs, and xfs, take care to avoid leaking the allocated ACL if posix_acl_update_mode() determines it's not needed - Adjust context] Signed-off-by: Ben Hutchings <ben@decadent.org.uk> 
commit 073931017b49d9458aa351605b43a7e34598caef upstream.

When file permissions are modified via chmod(2) and the user is not in
the owning group or capable of CAP_FSETID, the setgid bit is cleared in
inode_change_ok().  Setting a POSIX ACL via setxattr(2) sets the file
permissions as well as the new ACL, but doesn't clear the setgid bit in
a similar way; this allows to bypass the check in chmod(2).  Fix that.

References: CVE-2016-7097
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
[bwh: Backported to 3.2:
 - Drop changes to ceph, f2fs, hfsplus, orangefs
 - Use capable() instead of capable_wrt_inode_uidgid()
 - Update ext3 and generic_acl.c as well
 - In gfs2, jfs, and xfs, take care to avoid leaking the allocated ACL if
   posix_acl_update_mode() determines it's not needed
 - Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
RCUify freeing acls, let check_acl() go ahead in RCU mode if acl is cached 2011-08-03T04:58:42+00:00 Al Viro viro@zeniv.linux.org.uk 2011-08-03T01:32:13+00:00 3567866bf26190d1e734c975c907eb06e923ba23 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
get rid of boilerplate switches in posix_acl.h 2011-08-03T04:47:21+00:00 Al Viro viro@zeniv.linux.org.uk 2011-08-03T04:47:21+00:00 951c0d660a7c35286e401ca6d6ef38c9d49643c7 the only potentially subtle thing here: get_cached_acl() is never called with the second argument other than ACL_TYPE_{ACCESS,DEFAULT}. IOW, that return ERR_PTR(-EINVAL) in there might as well be BUG(). Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 
the only potentially subtle thing here: get_cached_acl()
is never called with the second argument other than
ACL_TYPE_{ACCESS,DEFAULT}.  IOW, that return ERR_PTR(-EINVAL)
in there might as well be BUG().

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
switch posix_acl_chmod() to umode_t 2011-08-01T06:10:32+00:00 Al Viro viro@zeniv.linux.org.uk 2011-07-23T23:03:11+00:00 86bc704db0ab7e69230f79bc7d124e063259abc6 again, that's what all callers pass to it Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 
again, that's what all callers pass to it

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
switch posix_acl_from_mode() to umode_t 2011-08-01T06:10:20+00:00 Al Viro viro@zeniv.linux.org.uk 2011-07-23T23:01:48+00:00 3a5fba19b080b365d67866db38e32e6a4a2089e8 ... seeing that this is what all callers pass to it anyway. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 
... seeing that this is what all callers pass to it anyway.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
switch posix_acl_equiv_mode() to umode_t * 2011-08-01T06:10:06+00:00 Al Viro viro@zeniv.linux.org.uk 2011-07-23T22:56:36+00:00 d6952123b53cc8b334df69bba2cd0063b0d88f68 ... so that &inode->i_mode could be passed to it Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 
... so that &inode->i_mode could be passed to it

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
switch posix_acl_create() to umode_t * 2011-08-01T06:09:42+00:00 Al Viro viro@zeniv.linux.org.uk 2011-07-23T22:37:50+00:00 d3fb612076eebec6f67257db0c7a9666ac7e5892 so we can pass &inode->i_mode to it Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 
so we can pass &inode->i_mode to it

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
bury posix_acl_..._masq() variants 2011-07-25T18:27:32+00:00 Al Viro viro@zeniv.linux.org.uk 2011-07-23T07:27:37+00:00 edde854e8bb34a7f32fa993d721f1da0faf64165 made static; no callers left outside of posix_acl.c. posix_acl_clone() also has lost all external callers and became static... Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 
made static; no callers left outside of posix_acl.c.  posix_acl_clone() also
has lost all external callers and became static...

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
kill boilerplates around posix_acl_create_masq() 2011-07-25T18:27:32+00:00 Al Viro viro@zeniv.linux.org.uk 2011-07-23T07:10:32+00:00 826cae2f2b4d726b925f43bc208a571639da4761 new helper: posix_acl_create(&acl, gfp, mode_p). Replaces acl with modified clone, on failure releases acl and replaces with NULL. Returns 0 or -ve on error. All callers of posix_acl_create_masq() switched. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 
new helper: posix_acl_create(&acl, gfp, mode_p).  Replaces acl with
modified clone, on failure releases acl and replaces with NULL.
Returns 0 or -ve on error.  All callers of posix_acl_create_masq()
switched.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
kill boilerplate around posix_acl_chmod_masq() 2011-07-25T18:27:30+00:00 Al Viro viro@zeniv.linux.org.uk 2011-07-23T04:18:02+00:00 bc26ab5f65ae41b71df86ea46df3c3833d1d8d83 new helper: posix_acl_chmod(&acl, gfp, mode). Replaces acl with modified clone or with NULL if that has failed; returns 0 or -ve on error. All callers of posix_acl_chmod_masq() switched to that - they'd been doing exactly the same thing. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 
new helper: posix_acl_chmod(&acl, gfp, mode).  Replaces acl with modified
clone or with NULL if that has failed; returns 0 or -ve on error.  All
callers of posix_acl_chmod_masq() switched to that - they'd been doing
exactly the same thing.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>