pam_ecryptfs doesn't drop gid when using user's files
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
eCryptfs |
Fix Released
|
High
|
Tyler Hicks | ||
ecryptfs-utils (Ubuntu) |
Fix Released
|
High
|
Tyler Hicks |
Bug Description
I report several bug as a single ticket as they have approximately the same significance and it's more simple to fix them at a time.
1) pam_ecryptfs heavily use non-root files, dropping EUID=0, but forgets to drop EGID=0. To exploit it try to create symlink ~/.ecryptfs/
Some filesystem syscalls are used with EUID=0: inside of ecryptfs_
2) It runs (u)mount.
3) All results of set*id() syscalls must be checked not to repeat sendmail bug. There is actually one real bug with not checking return code: wrap_passphrase
4) generate_nv_list() calls strlen() with argument to user controllable data. The data might be not terminating with \0. This may lead to SEGFAULT.
5) src/libecryptfs
Note that (2) may not be fixed by dropping gid=0 with setresgid() as the process would become ptrace'able. As it still owns root-owned tty, etc., this would lead to privilege escalation.
CVE References
no longer affects: | ecryptfs-utils (Fedora) |
no longer affects: | ecryptfs-utils (Debian) |
Changed in ecryptfs: | |
status: | Triaged → In Progress |
Thanks for the report. Will get these fixed.