The Linux kernel has a vulnerability in the fs/inode.c:inode_init_owner() function logic that allows local users to create files with an unintended group ownership and with group execution and SGID permission bits set, in a scenario where a directory is SGID and belongs to a certain group and is writable by a user who is not a member of this group. This can lead to excessive permissions granted in case when they should not. References: http://seclists.org/oss-sec/2018/q3/35 An upstream patch: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0fa3ecd87848c9c93c2c828ef4c3a8ca36ce46c7
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1599162]
Note: The Linux kernel has a vulnerability in the fs/inode.c:inode_init_owner() function logic that allows local users to create files with an unintended group ownership and with group execution and SGID permission bits set, in a scenario where a directory has SGID bit set and belongs to a certain group and is writable by a user who is not a member of this group. In such a case a directory group non-member user can create a plain file whose group ownership is of that group and with group execution and SGID permission bits set. This can lead to excessive permissions granted in case when they should not. The intended behavior is that the non-member user can trigger creation of a directory with group execution and SGID permission bits set whose group ownership is of that group, but not a plain file. The above is true for filesystems using fs/inode.c:inode_init_owner() function from the VFS code, like EXT4 and tmpfs filesystems. Some other filesystems may not be using this code. For example, the XFS filesystem is a special case here, it does not use fs/inode.c:inode_init_owner(), but uses its own fs/xfs/xfs_inode.c:xfs_ialloc() function. The XFS filesystem behavior in such situations is controlled by the fs.xfs.irix_sgid_inherit sysctl parameter: [https://www.kernel.org/doc/Documentation/filesystems/xfs.txt] fs.xfs.irix_sgid_inherit (Min: 0 Default: 0 Max: 1) Controls files created in SGID directories. If the group ID of the new file does not match the effective group ID or one of the supplementary group IDs of the parent dir, the ISGID bit is cleared if the irix_sgid_inherit compatibility sysctl is set.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2018:3083 https://access.redhat.com/errata/RHSA-2018:3083
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2018:3096 https://access.redhat.com/errata/RHSA-2018:3096
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2018:2948 https://access.redhat.com/errata/RHSA-2018:2948
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2019:0717 https://access.redhat.com/errata/RHSA-2019:0717
This issue has been addressed in the following products: Red Hat Enterprise Linux 6.6 Advanced Update Support Via RHSA-2019:2476 https://access.redhat.com/errata/RHSA-2019:2476
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.5 Extended Update Support Via RHSA-2019:2566 https://access.redhat.com/errata/RHSA-2019:2566
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.4 Extended Update Support Via RHSA-2019:2696 https://access.redhat.com/errata/RHSA-2019:2696
This issue has been addressed in the following products: Red Hat Enterprise MRG 2 Via RHSA-2019:2730 https://access.redhat.com/errata/RHSA-2019:2730
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.2 Telco Extended Update Support Red Hat Enterprise Linux 7.2 Advanced Update Support Red Hat Enterprise Linux 7.2 Update Services for SAP Solutions Via RHSA-2019:4164 https://access.redhat.com/errata/RHSA-2019:4164
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.3 Telco Extended Update Support Red Hat Enterprise Linux 7.3 Advanced Update Support Red Hat Enterprise Linux 7.3 Update Services for SAP Solutions Via RHSA-2019:4159 https://access.redhat.com/errata/RHSA-2019:4159