[Unionfs] bug allowing user to escalate privileges
Erez Zadok
ezk at cs.sunysb.edu
Tue Aug 5 15:35:45 EDT 2008
Please try this small patch. It should fix the problem.
Thanks,
Erez.
Unionfs: prevent a privilege escalation during first copyup
Signed-off-by: Erez Zadok <ezk at cs.sunysb.edu>
diff --git a/fs/unionfs/inode.c b/fs/unionfs/inode.c
index 0bd9fab..ce87887 100644
--- a/fs/unionfs/inode.c
+++ b/fs/unionfs/inode.c
@@ -795,10 +795,11 @@ static int unionfs_permission(struct inode *inode, int mask)
* We check basic permissions, but we ignore any conditions
* such as readonly file systems or branches marked as
* readonly, because those conditions should lead to a
- * copyup taking place later on.
+ * copyup taking place later on. However, if user never had
+ * access to the file, then no copyup could ever take place.
*/
err = inode_permission(lower_inode, mask);
- if (err && bindex > 0) {
+ if (err && err != -EACCES && bindex > 0) {
umode_t mode = lower_inode->i_mode;
if (is_robranch_super(inode->i_sb, bindex) &&
(S_ISREG(mode) || S_ISDIR(mode) || S_ISLNK(mode)))
More information about the unionfs
mailing list