Comment 2 for bug 1535150
Revision history for this message
| halfdog (halfdog) wrote Re: overlayfs over fuse should refuse copy_up of files if uid/gid not mapped | #2 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
67d34a1
(Get the code!)
Yes, maybe I have attributed the effects to the wrong cause (or made some mistake in testing). But I am not sure, if the path via .write_iter is really relevant to the issue also: SUID-bit/copy is done by the strange copy_up function, not normal SUID-bit preserving operation from user space.
Usually copy_up would only copy SUID-binaries, that were also "real" SUID binaries on the lower filesystem. But with fuse mounted as unprivileged user via fusermount and outside of any USERNS, fuse may "pretend" to include SUID binaries wth UID=0, but the mount itself is "nosuid" and private (no other UID can see the fuse-fs content). Overlayfs ignores the "nosuid" AND the private type of the lower filesystem, copies up the SUID-binary, thus creating a SUID-binary with arbitrary UID and content on the upper filesystem, which then can be executed by the unprivileged user outside USERNS to gain privileges.
Hence world writable SUID file should be just a red herring here, but not really important for the testcase.