Re: AUFS security issue - Copying Linux Capabilities using copy_up

Wed, 01 Sep 2021 01:50:51 -0700 

   Hi,A
   Here is I reproducing the problem:
   ---------------------------------------
   A  Linux ubuntu 5.11.0-27-generic #29~20.04.1-Ubuntu SMP Wed Aug 11
   15:58:17 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
   /home/user/Documents/aufs/vImgUSB.img on
   /home/user/Documents/aufs/dirUSB type ext4 (rw,nosuid,nodev,relatime)
   none on /home/user/Documents/aufs/aufs-root type aufs
   (rw,relatime,si=96c01dd8c0a2dcd5)
   + cat /sys/fs/aufs/si_96c01dd8c0a2dcd5/br0
   /sys/fs/aufs/si_96c01dd8c0a2dcd5/br1
   /home/user/Documents/aufs/dir2=rw
   /home/user/Documents/aufs/dirUSB=ro
   + cd /home/user/Documents/aufs
   # aufs-root directory contents
   + ll aufs-root
   total 40K
   drwx------ 2 user user 16K Jul A 5 14:07 lost+found
   -rwxrwxr-x 1 root root 17K Jun 30 15:53 _open_shadow
   # When executing _open_shadow from dirUSB, the capabilities should not
   works (because nosuid)
   + getcap ./dirUSB/_open_shadow
   ./dirUSB/_open_shadow = cap_dac_read_search+eip
   + ./dirUSB/_open_shadow
   [1] A  A 4372 segmentation fault (core dumped) A ./dirUSB/_open_shadow
   # When executing it from the aufs-root it works (bypassing nosuid)
   + ./aufs-root/_open_shadow | tail -n2
   test:********/******************.***********./**********:18792:0:99999:
   7:::
   # When `mv` between two separated FSs not using aufs, the mv should not
   be permitted
   + getcap ./dirUSB/_open_shadow
   ./dirUSB/_open_shadow = cap_dac_read_search+eip
   + mv ./dirUSB/_open_shadow ./dir2/_open_shadow
   mv: setting attribute 'security.capability' for 'security.capability':
   Operation not permitted
   # When using the aufs copy_up, the driver "copies" it with the
   capabilities.
   + touch ./aufs-root/_open_shadow
   + getcap -r ./ A  A  A
   ./dir2/_open_shadow = cap_dac_read_search+eip
   ./aufs-root/_open_shadow = cap_dac_read_search+eip
   ./dirUSB/_open_shadow = cap_dac_read_search+eip
   + ./dir2/_open_shadow | tail -n2
   test:********/******************.***********./**********:18792:0:99999:
   7:::
   # When using `mv` in the aufs-root dir it also keeps the capabilities
   thus bypassing
   # the not permitted "setting attribute 'security.capability'"
   operation.
   + ll * A  A  A  A
   -rw-rw-r-- 1 user user 220K Sep A 1 11:38 vImgUSB.img
   aufs-root:
   total 40K
   drwx------ 2 user user 16K Jul A 5 14:07 lost+found
   -rwxrwxr-x 1 user user 17K Sep A 1 11:37 _open_shadow
   dir2:
   total 0
   dirUSB:
   total 40K
   drwx------ 2 user user 16K Jul A 5 14:07 lost+found
   -rwxrwxr-x 1 user user 17K Sep A 1 11:37 _open_shadow
   + mv ./aufs-root/_open_shadow ./aufs-root/_copy_up_open_shadow
   + ll ./dir2 A
   total 20K
   -rwxrwxr-x 1 user user 17K Sep A 1 11:37 _copy_up_open_shadow
   + getcap ./dir2/_copy_up_open_shadow
   ./dir2/_copy_up_open_shadow = cap_dac_read_search+eip
   + ./dir2/_copy_up_open_shadow| tail -n2
   test:********/******************.***********./**********:18792:0:99999:
   7:::
   -------------------------------------------------
   Hope it helps.
   Keep me posted.
   Thank you,
   Alon Zahavi

   On Wed, 1 Sept 2021 at 01:51, J. R. Okajima <[1]hooanon...@gmail.com>
   wrote:

     Alon Zahavi:
     > For example - AWS EC2 Ubuntu 20.04 with aufs-tools installed.
     >
     >A  A  1. Mount a device to any folder.
     >A  A  2. Copy any file with capabilities into that folder.
     >A  A  3. Remount the device now with nosuid and ro options.
     >A  A  4. mount a AUFS mount where there are two branches. Make sure
     the
     >A  A  "lower" branch is the branch with the capable file.
     >
     > Execution:
     >
     >A  A  1. As a low-priv user cd into the AUFS root.
     >A  A  2. Execute mv capable_file _cp_capble_file
     >A  A  3. cd to the higher branch directory.
     >A  A  4. Execute the capable binary.
     >
     > Expected Results:
     >
     > When copying a capable file using a low privileged user, the file
     should be
     > copied without any file capabilities.
     It is hard for me to reproduce the problem.
     Here is what I am trying.
     ----------------------------------------
     Linux jrotkm 5.14.0-rc7aufsD+ #397 SMP Mon Aug 23 16:04:40 JST 2021
     x86_64 GNU/Linux
     /dev/ram1 /dev/shm/ro ext2
     ro,nosuid,relatime,errors=continue,user_xattr,acl 0 0
     /dev/ram0 /dev/shm/rw ext3 rw,relatime,stripe=4 0 0
     none /dev/shm/u aufs rw,relatime,si=66cd80fe38e1ad6a 0 0
     + cat /sys/fs/aufs/si_66cd80fe38e1ad6a/br0
     /sys/fs/aufs/si_66cd80fe38e1ad6a/br1
     /dev/shm/rw=rw
     /dev/shm/ro=ro
     + cd ..
     + getcap -v ro/true2 u/true2
     ro/true2 = cap_sys_admin+ep
     u/true2 = cap_sys_admin+ep
     # case 1: "cp" drops the file capability
     + cp u/true2 u/trueA
     + getcap -v rw/trueA u/trueA
     rw/trueA
     u/trueA
     # case 2: "cp -a" also drops the file capability
     + cp -a u/true2 u/trueB
     + getcap -v rw/trueB u/trueB
     rw/trueB
     u/trueB
     # case 3: "sudo cp" also drops the file capability
     + sudo cp u/true2 u/trueC
     + getcap -v rw/trueC u/trueC
     rw/trueC
     u/trueC
     # case 4: "sudo cp -a" keeps the file capability
     + sudo cp -a u/true2 u/trueD
     + getcap -v rw/trueD u/trueD
     rw/trueD = cap_sys_admin+ep
     u/trueD = cap_sys_admin+ep
     # case 5: simple copy-up keeps the file capability
     + touch ./true2
     + getcap -v ro/true2 u/true2
     ro/true2 = cap_sys_admin+ep
     u/true2 = cap_sys_admin+ep
     ----------------------------------------
     All these behaviours look correct.
     What am I missing?
     J. R. Okajima

References

   1. mailto:hooanon...@gmail.com






















					Reply via email to