To: linux-kernel@vger.rutgers.edu Subject: [SECURITY PATCH] nfsd Date: Mon, 26 Oct 1998 12:00:26 -0800 From: "G. Allen Morris III" <gam3@gam3.sehda.com> There is a security problem with the kernel nfsd code. The nfsd kernel code calls permision() with both CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH set. This allows the access of files in a directory with permisions 000 even w/ root_squash set. Here is a patch to fix this problem. diff -u -r1.1 auth.c --- linux/fs/nfsd/auth.c 1998/10/16 19:08:05 1.1 +++ linux/fs/nfsd/auth.c 1998/10/26 00:24:23 @@ -43,5 +43,14 @@ current->fsgid = exp->ex_anon_gid; for (i = 0; i < NGROUPS; i++) current->groups[i] = cred->cr_groups[i]; + /* FIXME: hack to make make 000 mode directories unreadable */ + if ((cred->cr_uid)) { + cap_lower(current->cap_effective, CAP_DAC_OVERRIDE); + cap_lower(current->cap_effective, CAP_DAC_READ_SEARCH); + } else { + cap_raise(current->cap_effective, CAP_DAC_OVERRIDE); + cap_raise(current->cap_effective, CAP_DAC_READ_SEARCH); + } + rqstp->rq_userset = 1; } --------------------------------- G. Allen Morris III - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/