>>> On Fri, 15 Jan 2016 04:01:04 +0900 in message "try reproducing this problem?" -san wrote:
> Have you heard about the latest overlayfs security problem? > http://www.halfdog.net/Security/2015/UserNamespaceOverlayfsSetuidWriteExec/ (Vanilla kernel does not allow root in a user namespace to mount overlayfs. So I guess it is only the case of ubuntu kernel.) > The problem is already fixed in mainline. > I am afraid that aufs might have a similar problem, paricularly when the > module paramter 'allow_userns' is set to 1. Actually I've tried > reproducing the problem on my test pc, but failed. I am afraid I don't > understand the detail yet. > If you can (anyone in this ML), please try reproducing the problem. > Because this is a security problem and I want to really make it > sure. I'd like to ask a help from users. If you have some time to try, > please do it and report the result to this ML. I also don't understand it well. But I ran the test program. * I can reproduce by overlayfs * I can't reproduce by aufs I've run the program on kernel 4.2.3 that is applied the patch that allow root in userns to mount overlayfs. * overlayfs ... reproduced $ ./UserNamespaceOverlayfsSetuidWriteExec -- /bin/bash Setting uid map in /proc/3749/uid_map Setting gid map in /proc/3749/gid_map euid: 65534, egid: 65534 euid: 0, egid: 0 overlayfs Namespace helper waiting for modification completion Namespace part completed * aufs (allow_userns=1) ... not reproduced $ TRY_AUFS=1 ./UserNamespaceOverlayfsSetuidWriteExec -- /bin/bash Setting uid map in /proc/3321/uid_map Setting gid map in /proc/3321/gid_map euid: 0, egid: 0 euid: 0, egid: 0 aufs Mode change failed Failed to open /proc/3321/cwd/su, error Permission denied * aufs (allow_userns=0) ... not reproduced $ TRY_AUFS=1 ./UserNamespaceOverlayfsSetuidWriteExec -- /bin/bash Setting uid map in /proc/3245/uid_map Setting gid map in /proc/3245/gid_map euid: 0, egid: 0 euid: 0, egid: 0 aufs Overlay mounting failed: 1 (Operation not permitted) I've run on kernel 4.4 (not vulnerable), too. I can't reproduce by aufs and overlayfs. > 1. get the test-program UserNamespaceOverlayfsSetuidWriteExec.c from the > above URL. > 2. reproduce the problem by overlayfs (without modifying the TP) > 3. modify the TP in order to use aufs (like the patch attached). > 4. try reproducing the problem by aufs with two cases, > + allow_userns=1 > + allow_userns=0 > 5. report the result to this ML. > Thank you > J. R. Okajima I wrote a little more detail (but in Japanese ^^;): http://d.hatena.ne.jp/defiant/20160115/1452858749 Thanks, KATOH Yasufumi ------------------------------------------------------------------------------ Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140