Re: glusterfs setuid issue
Hi Ben,
On Wed, Aug 19, 2015 at 01:00:14AM +0200, Ben Hutchings wrote:
> On Wed, 2015-08-19 at 00:38 +0200, Ben Hutchings wrote:
> > I spent some time on this issue without a CVE assigned:
> >
> > CVE-2015-XXXX [fuse check return value of setuid]
> > > - glusterfs
> > > NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/08/18/6
> > > NOTE: http://review.gluster.org/#/c/10780/
> > > NOTE: https://github.com/gluster/glusterfs/commit/b5ceb1a9de9af563b0f91e2a3138fa5a95cad9f6
> >
> > I don't believe this is a security issue at all:
> >
> > - The two unchecked setuid() calls are setuid(geteuid()). This isn't
> > dropping privileges. If the effective uid is 0 then this sets real
> > and saved uids to 0 as well. Otherwise it does nothing.
> > - It can't fail due to process limits, because if it changes the real
> > uid then we must have all effective uid of 0 and the process limit
> > is ignored.
> [...]
>
> It is possible for a thread to have some privileges but not
> CAP_SYS_RESOURCE or CAP_SYS_ADMIN (which provide exemption from the
> process limit). However setuid-root programs always get all
> capabilities and I didn't find any calls to capset() in fuse or
> glusterfs.
Thanks a lot for your analysis of this. I have marked the issue for
now as unimportant but keept it for now in the tracker. If it never
will get a CVE we can safely drop it again.
Regards,
Salvatore
Reply to: