[Kernel-packages] [Bug 1793458] Re: Overlayfs in user namespace leaks directory content of inaccessible directories

Thu, 08 Nov 2018 04:01:39 -0800 

** Changed in: linux (Ubuntu Cosmic)
       Status: In Progress => Fix Committed

** Changed in: linux (Ubuntu Bionic)
       Status: In Progress => Fix Committed

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1793458

Title:
  Overlayfs in user namespace leaks directory content of inaccessible
  directories

Status in linux package in Ubuntu:
  In Progress
Status in linux source package in Bionic:
  Fix Committed
Status in linux source package in Cosmic:
  Fix Committed
Status in linux source package in Disco:
  In Progress

Bug description:
  Summary: With a combination of overlayfs and user namespaces, regular
  users can see the content of directories that would otherwise be
  inaccessible to them because of directory permissions (e.g., all users
  can see content of "/root").

  Details: For the exploit it is necessary to create user and mount
  namespaces and mount an overlayfs inside it. Ubuntu allows this for
  regular users. The lower dir of the overlay would be "/", and the
  upper dir an attacker-controlled temporary directory. If the attacker
  wants to see the content of "/root", they would create a directory
  "root" in the upper dir of the overlay. Overlays seems to get confused
  about the permissions, and instead of applying the restrictive
  permissions of "root" from the lower dir, it applies more relaxed
  restrictions of "root" from the upper dir, granting the attacker the
  possibility to list the directory contents of "/root".

  To reproduce, simply run the attached script as regular user. It will show 
the content of "/root", on my system the output is this:
  ```
  /bin/ls: cannot access '/root/.cache': Permission denied
  /bin/ls: cannot access '/root/.bashrc': Permission denied
  /bin/ls: cannot access '/root/snap': Permission denied
  /bin/ls: cannot access '/root/.gnupg': Permission denied
  /bin/ls: cannot access '/root/.aptitude': Permission denied
  /bin/ls: cannot access '/root/.bash_history': Permission denied
  /bin/ls: cannot access '/root/.profile': Permission denied
  /bin/ls: cannot access '/root/.hplip': Permission denied
  total 8
  drwxr-xr-x 1 nobody nogroup 4096 Sep 20 09:02 .
  drwxr-xr-x 1 nobody nogroup 4096 Sep 20 09:02 ..
  d????????? ? ?      ?          ?            ? .aptitude
  -????????? ? ?      ?          ?            ? .bash_history
  -????????? ? ?      ?          ?            ? .bashrc
  d????????? ? ?      ?          ?            ? .cache
  d????????? ? ?      ?          ?            ? .gnupg
  d????????? ? ?      ?          ?            ? .hplip
  -????????? ? ?      ?          ?            ? .profile
  d????????? ? ?      ?          ?            ? snap
  ```

  The script also has some comments that explain the necessary steps in
  more details.

  I tested on Ubuntu 18.04 with Linux 4.15.0-34-generic, but the bug
  probably affects all Ubuntu versions of the last years. Other
  distributions and the vanilla kernel should not be affected because
  AFAIK only Ubuntu allows mounting of overlayfs inside user namespaces.
  But of course it would be good to apply a potential fix upstream.

  So far I did not succeed in doing more than leaking the directory
  content, but of course that is no guarantee that it is not possible to
  do worse things.

  ProblemType: Bug
  DistroRelease: Ubuntu 18.04
  Package: linux-image-4.15.0-34-generic 4.15.0-34.37
  ProcVersionSignature: Ubuntu 4.15.0-34.37-generic 4.15.18
  Uname: Linux 4.15.0-34-generic x86_64
  ApportVersion: 2.20.9-0ubuntu7.3
  Architecture: amd64
  AudioDevicesInUse:
   USER        PID ACCESS COMMAND
   /dev/snd/controlC1:  wendler    3414 F.... pulseaudio
   /dev/snd/controlC0:  wendler    3414 F.... pulseaudio
  CurrentDesktop: Unity:Unity7:ubuntu
  Date: Thu Sep 20 08:56:01 2018
  HibernationDevice: RESUME=UUID=f9d1a1f9-50d2-4b7c-b7e4-66dc78d38062
  InstallationDate: Installed on 2016-12-12 (646 days ago)
  InstallationMedia: Ubuntu 16.04.1 LTS "Xenial Xerus" - Release amd64 
(20160719)
  MachineType: LENOVO 20FXS1B700
  ProcFB: 0 inteldrmfb
  ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-4.15.0-34-generic 
root=/dev/mapper/ubuntu--vg-root ro quiet splash 
resume=/dev/mapper/ubuntu--vg-swap_1 swapaccount=1
  RelatedPackageVersions:
   linux-restricted-modules-4.15.0-34-generic N/A
   linux-backports-modules-4.15.0-34-generic  N/A
   linux-firmware                             1.173.1
  SourcePackage: linux
  UpgradeStatus: Upgraded to bionic on 2018-09-04 (15 days ago)
  dmi.bios.date: 09/26/2016
  dmi.bios.vendor: LENOVO
  dmi.bios.version: R07ET71W (2.11 )
  dmi.board.asset.tag: Not Available
  dmi.board.name: 20FXS1B700
  dmi.board.vendor: LENOVO
  dmi.board.version: SDK0J40697 WIN
  dmi.chassis.asset.tag: No Asset Information
  dmi.chassis.type: 10
  dmi.chassis.vendor: LENOVO
  dmi.chassis.version: None
  dmi.modalias: 
dmi:bvnLENOVO:bvrR07ET71W(2.11):bd09/26/2016:svnLENOVO:pn20FXS1B700:pvrThinkPadT460p:rvnLENOVO:rn20FXS1B700:rvrSDK0J40697WIN:cvnLENOVO:ct10:cvrNone:
  dmi.product.family: ThinkPad T460p
  dmi.product.name: 20FXS1B700
  dmi.product.version: ThinkPad T460p
  dmi.sys.vendor: LENOVO

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1793458/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to