Description of problem: Frank Filz reported: the problem is that permission checking is skipped if atomic open is possible, but when exec opens a file, it just opens it O_READONLY which means EXEC permission will not be checked at that time. This problem is observed by the following sequence (executed as root): mount -t nfs4 server:/ /mnt4 echo "ls" >/mnt4/foo chmod 744 /mnt4/foo su guest -c "mnt4/foo" Reference: http://article.gmane.org/gmane.linux.nfs/26592
This looks like the same problem that was reported in November 2006: http://linux-nfs.org/pipermail/nfsv4/2006-November/005323.html http://linux-nfs.org/pipermail/nfsv4/2006-November/005313.html http://bugzilla.linux-nfs.org/show_bug.cgi?id=131
http://marc.info/?l=oss-security&m=124220557025302&w=2
CVE-2009-1630: The nfs_permission function in fs/nfs/dir.c in the NFS client implementation in the Linux kernel 2.6.29.3 and earlier, when atomic_open is available, does not check execute (aka EXEC or MAY_EXEC) permission bits, which allows local users to bypass permissions and execute files, as demonstrated by files on an NFSv4 fileserver. References: http://article.gmane.org/gmane.linux.nfs/26592 http://linux-nfs.org/pipermail/nfsv4/2006-November/005313.html http://linux-nfs.org/pipermail/nfsv4/2006-November/005323.html http://bugzilla.linux-nfs.org/show_bug.cgi?id=131 http://www.securityfocus.com/bid/34934
Created attachment 344739 [details] Upstream patch http://git.kernel.org/linus/7ee2cb7f32b299c2b06a31fde155457203e4b7dd
Add issue 296766.
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2009:1106 https://rhn.redhat.com/errata/RHSA-2009-1106.html
This issue has been addressed in following products: Red Hat Enterprise Linux 4 Via RHSA-2009:1132 https://rhn.redhat.com/errata/RHSA-2009-1132.html
This issue has been addressed in following products: MRG for RHEL-5 Via RHSA-2009:1157 https://rhn.redhat.com/errata/RHSA-2009-1157.html