>>> On Fri, 15 Jan 2016 04:01:04 +0900
in message "try reproducing this problem?"
-san wrote:
> Have you heard about the latest overlayfs security problem?
> http://www.halfdog.net/Security/2015/UserNamespaceOverlayfsSetuidWriteExec/
(Vanilla kernel does not allow root in a user namespace to mount
overlayfs. So I guess it is only the case of ubuntu kernel.)
> The problem is already fixed in mainline.
> I am afraid that aufs might have a similar problem, paricularly when the
> module paramter 'allow_userns' is set to 1. Actually I've tried
> reproducing the problem on my test pc, but failed. I am afraid I don't
> understand the detail yet.
> If you can (anyone in this ML), please try reproducing the problem.
> Because this is a security problem and I want to really make it
> sure. I'd like to ask a help from users. If you have some time to try,
> please do it and report the result to this ML.
I also don't understand it well. But I ran the test program.
* I can reproduce by overlayfs
* I can't reproduce by aufs
I've run the program on kernel 4.2.3 that is applied the patch that
allow root in userns to mount overlayfs.
* overlayfs ... reproduced
$ ./UserNamespaceOverlayfsSetuidWriteExec -- /bin/bash
Setting uid map in /proc/3749/uid_map
Setting gid map in /proc/3749/gid_map
euid: 65534, egid: 65534
euid: 0, egid: 0
overlayfs
Namespace helper waiting for modification completion
Namespace part completed
* aufs (allow_userns=1) ... not reproduced
$ TRY_AUFS=1 ./UserNamespaceOverlayfsSetuidWriteExec -- /bin/bash
Setting uid map in /proc/3321/uid_map
Setting gid map in /proc/3321/gid_map
euid: 0, egid: 0
euid: 0, egid: 0
aufs
Mode change failed
Failed to open /proc/3321/cwd/su, error Permission denied
* aufs (allow_userns=0) ... not reproduced
$ TRY_AUFS=1 ./UserNamespaceOverlayfsSetuidWriteExec -- /bin/bash
Setting uid map in /proc/3245/uid_map
Setting gid map in /proc/3245/gid_map
euid: 0, egid: 0
euid: 0, egid: 0
aufs
Overlay mounting failed: 1 (Operation not permitted)
I've run on kernel 4.4 (not vulnerable), too. I can't reproduce by
aufs and overlayfs.
> 1. get the test-program UserNamespaceOverlayfsSetuidWriteExec.c from the
> above URL.
> 2. reproduce the problem by overlayfs (without modifying the TP)
> 3. modify the TP in order to use aufs (like the patch attached).
> 4. try reproducing the problem by aufs with two cases,
> + allow_userns=1
> + allow_userns=0
> 5. report the result to this ML.
> Thank you
> J. R. Okajima
I wrote a little more detail (but in Japanese ^^;):
http://d.hatena.ne.jp/defiant/20160115/1452858749
Thanks,
KATOH Yasufumi
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
