Bug 443043 - fix setuid/setgid clearing by knfsd
fix setuid/setgid clearing by knfsd
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: kernel (Show other bugs)
5.2
All Linux
medium Severity medium
: rc
: ---
Assigned To: Jeff Layton
Martin Jenner
:
Depends On:
Blocks: 443044
  Show dependency treegraph
 
Reported: 2008-04-18 08:08 EDT by Jeff Layton
Modified: 2011-01-24 17:55 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-01-20 15:14:30 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
patch -- revoke both setuid and setgid on uid/gid changes (1.67 KB, patch)
2008-04-23 11:23 EDT, Jeff Layton
no flags Details | Diff

  None (edit)
Description Jeff Layton 2008-04-18 08:08:48 EDT
I just pushed a couple of patches upstream that we should backport for the next
RHEL updates. I suspect that Bruce will push them for 2.6.26. Here is the
description of the problem:

Currently, knfsd only clears the setuid bit if the owner of a file is
changed on a SETATTR call, and only clears the setgid bit if the group
is changed. POSIX says this in the spec for chown():

    "If the specified file is a regular file, one or more of the
     S_IXUSR, S_IXGRP, or S_IXOTH bits of the file mode are set, and the
     process does not have appropriate privileges, the set-user-ID
     (S_ISUID) and set-group-ID (S_ISGID) bits of the file mode shall
     be cleared upon successful return from chown()."

If I'm reading this correctly, then knfsd is doing this wrong. It should
be clearing both the setuid and setgid bit on any SETATTR that changes
the uid or gid. This wasn't really as noticable before, but now that the
ATTR_KILL_S*ID bits are a no-op for the NFS client, it's more evident.
Comment 1 Jeff Layton 2008-04-23 11:23:30 EDT
Created attachment 303510 [details]
patch -- revoke both setuid and setgid on uid/gid changes
Comment 3 RHEL Product and Program Management 2008-05-02 12:20:51 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 5 Don Zickus 2008-07-23 14:55:06 EDT
in kernel-2.6.18-99.el5
You can download this test kernel from http://people.redhat.com/dzickus/el5
Comment 9 Issue Tracker 2008-11-06 15:58:47 EST
Comment not mirrored from IT:

------- Comment From sijo.george@in.ibm.com 2008-11-05 01:53 EDT-------
The bug still exists on RHEL 5.3 Beta.
-------------------------------
[root@qs22-3 bin]# ./fchown03
fchown03    1  FAIL  :  testfile: Incorrect mode permissions 0104770,
Expected 0100770
[root@qs22-3 bin]# uname -a
Linux qs22-3.ltc.austin.ibm.com.ltc.austin.ibm.com 2.6.18-120.el5 #1 SMP
Fri Oct 17 18:06:21 EDT 2008 ppc64 ppc64 ppc64 GNU/Linux
[root@qs22-3 bin]# cat /etc/issue
Red Hat Enterprise Linux Server release 5.3 Beta (Tikanga)
Kernel r on an m

[root@qs22-3 bin]#
-----------------------------------

Regards:
Sijo 


This event sent from IssueTracker by balkov 
 issue 179301
Comment 10 Jeff Layton 2008-11-06 16:14:00 EST
Works for me on -122.el5:

# mount -t nfs localhost:/export /mnt/test
# touch /export/testfile

# chown root:root /export/testfile

# chmod 6755 /export/testfile

# ls -l /mnt/test/testfile
-rwsr-sr-x 1 root root 24 Oct 28 21:57 /mnt/test/testfile

# chown testuser /mnt/test/testfile

# ls -l /mnt/test/testfile
-rwxr-xr-x 1 testuser root 24 Oct 28 21:57 /mnt/test/testfile

...I get the same file mode when I chgrp the file instead here too. This sure looks like it's fixed to me.

What exactly does "fchown03" do?
Comment 12 errata-xmlrpc 2009-01-20 15:14:30 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2009-0225.html

Note You need to log in before you can comment on or make changes to this bug.