On 6/26/25 15:09, Sage [They / Them] McTaggart wrote:
Hello all,
A flaw was found in CephFS. An unprivileged user can escalate to root
privileges in a ceph-fuse mounted CephFS by chmod 777 a directory owned by
root to gain access.
[...]
It is patched via 17.2.8 <https://github.com/ceph/ceph/pull/60314> , 18.2.5,
and 19.2.3 in upstream Ceph.
From that patch:
bool allowed = false;
[...]
if ((in->mode & (S_ISUID | S_ISGID)) != (stx->stx_mode & (S_ISUID |
S_ISGID)) &&
(in->mode & ~(S_ISUID | S_ISGID)) == (stx->stx_mode & ~(S_ISUID
| S_ISGID))) {
allowed = true;
}
[...]
if (perms.uid() != 0 && perms.uid() != in->uid && !allowed)
goto out;
Am I misreading the code or missing context or does this allow *any*
change to the SUID/SGID bits, provided that the other mode bits are not
simultaneously changed? Is there some other check before this code is
reached that prevents Alice from making Bob's (or root's...) o+x
executable set-id and then running it?
If I correctly understand the description of the problem---that an
unprivileged user was able to chmod root-owned directories---how is this
patch not introducing another problem of permitting unprivileged users
to tweak set-id bits on other users' files?
Maybe the correct answer is to not allow chmod except for root and the
file's owner?
-- Jacob
