file_remove_suid() could mistakenly set S_NOSEC inode bit when root was modifying the file. As a result following writes to the file by ordinary user would avoid clearing suid or sgid bits.
Fix the bug by checking actual mode bits before setting S_NOSEC. CC: [email protected] Signed-off-by: Jan Kara <[email protected]> --- fs/inode.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/fs/inode.c b/fs/inode.c index 26753ba7b6d6..f5e01704a5c8 100644 --- a/fs/inode.c +++ b/fs/inode.c @@ -1631,7 +1631,8 @@ int file_remove_suid(struct file *file) error = security_inode_killpriv(dentry); if (!error && killsuid) error = __remove_suid(dentry, killsuid); - if (!error && (inode->i_sb->s_flags & MS_NOSEC)) + if (!error && (inode->i_sb->s_flags & MS_NOSEC) && + !is_sxid(inode->i_mode)) inode->i_flags |= S_NOSEC; return error; -- 1.8.1.4 -- To unsubscribe from this list: send the line "unsubscribe stable" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html
