Ubuntu
linux package

Default ACL masks not working properly in eCryptfs

Bug #1009207 reported by Stefan Beller
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
eCryptfs
Fix Released
Medium
Tyler Hicks
ecryptfs-utils (Ubuntu)
Invalid
Undecided
Unassigned
Lucid
Invalid
Undecided
Unassigned
Natty
Invalid
Undecided
Unassigned
Oneiric
Invalid
Undecided
Unassigned
Precise
Invalid
Undecided
Unassigned
Quantal
Invalid
Undecided
Unassigned
linux (Ubuntu)
Fix Released
Undecided
Tim Gardner
Lucid
Fix Released
Undecided
Tim Gardner
Natty
Fix Released
Undecided
Colin Ian King
Oneiric
Fix Released
Undecided
Colin Ian King
Precise
Fix Released
Undecided
Colin Ian King
Quantal
Fix Released
Undecided
Tim Gardner

Bug Description

Originally discovered when installing latest git from original sources,
see discussion here http://marc.info/?t=133882478900001&r=1&w=2

This bug is exposed when the eCryptfs mount options do not include '-o acl', but the lower filesystem's mount options do include 'acl'. This results in the MS_POSIXACL flag *not* being set in the eCryptfs super_block.s_flags. This flag is what the VFS checks in do_last() when deciding if the current umask should be applied to a newly created inode's mode or not. When a default POSIX ACL mask is set on a directory, the current umask is incorrectly applied to new inodes created in the directory.

A simple test case was added to the ecryptfs-utils tree in tests/kernel/lp-1009207.sh:

http://bazaar.launchpad.net/~ecryptfs/ecryptfs/trunk/revision/693

Test case from Jeff King (the setfacl command was incorrect in the original email from Jeff):

 setfacl -dm m:rwx .
 perl -MFcntl -e 'sysopen(X, "a", O_WRONLY|O_CREAT, 0444)'
 umask 077
 perl -MFcntl -e 'sysopen(X, "b", O_WRONLY|O_CREAT, 0444)'
 getfacl a b

On ext4, both files will have the read bit set in the mask. On ecryptfs,
"b" will have an empty mask.

ProblemType: Bug
DistroRelease: Ubuntu 12.04
Package: ecryptfs-utils 96-0ubuntu3
ProcVersionSignature: Ubuntu 3.2.0-25.40-generic 3.2.18
Uname: Linux 3.2.0-25-generic x86_64
NonfreeKernelModules: nvidia
ApportVersion: 2.0.1-0ubuntu9
Architecture: amd64
Date: Tue Jun 5 22:37:36 2012
EcryptfsInUse: Yes
InstallationMedia: Ubuntu 11.10 "Oneiric Ocelot" - Release amd64 (20111012)
SourcePackage: ecryptfs-utils
UpgradeStatus: Upgraded to precise on 2012-02-18 (108 days ago)

See original description
Revision history for this message
Stefan Beller (stefanbeller) wrote :
Tyler Hicks (tyhicks)
Changed in ecryptfs:
status: New → In Progress
Revision history for this message
Tyler Hicks (tyhicks) wrote :

Hi Stefan - Thanks for using eCryptfs!

I'm going to make this report public because the issue was already discussed on public mailing lists. Additionally, the security impacts are minimal because the file's mode can only be more restrictive than intended due to this bug and access checks are still performed on the lower inode.

visibility: private → public
security vulnerability: yes → no
Changed in linux (Ubuntu):
status: New → Confirmed
Revision history for this message
Tyler Hicks (tyhicks) wrote :

I've confirmed this on upstream 3.5-rc1 and Ubuntu 3.2.0-24.39-generic

Changed in ecryptfs-utils (Ubuntu):
status: New → Invalid
Changed in ecryptfs:
assignee: nobody → Tyler Hicks (tyhicks)
summary: - ACL not working properly
+ Default ACL masks not working properly in eCryptfs
description: updated
Tyler Hicks (tyhicks)
description: updated
Tyler Hicks (tyhicks)
description: updated
Tyler Hicks (tyhicks)
Changed in ecryptfs:
importance: Undecided → Medium
Revision history for this message
Tyler Hicks (tyhicks) wrote :

Patch sent out for review:

http://thread.gmane.org/gmane.comp.file-systems.ecryptfs.general/223

Revision history for this message
Tyler Hicks (tyhicks) wrote :

This fix was merged into Linus' tree. It should be released in 3.6-rc1.

http://git.kernel.org/linus/069ddcda37b2cf5bb4b6031a944c0e9359213262

Changed in ecryptfs:
status: In Progress → Fix Committed
Tyler Hicks (tyhicks)
Changed in ecryptfs:
status: Fix Committed → Fix Released
Tim Gardner (timg-tpi)
Changed in ecryptfs-utils (Ubuntu Natty):
status: New → Invalid
Changed in ecryptfs-utils (Ubuntu Oneiric):
status: New → Invalid
Changed in ecryptfs-utils (Ubuntu Precise):
status: New → Invalid
Changed in linux (Ubuntu Natty):
assignee: nobody → smokeyking (cking)
status: New → Fix Committed
assignee: smokeyking (cking) → Colin King (colin-king)
Changed in linux (Ubuntu Oneiric):
assignee: nobody → Colin King (colin-king)
status: New → Fix Committed
Changed in linux (Ubuntu Precise):
assignee: nobody → Colin King (colin-king)
status: New → Fix Committed
Changed in linux (Ubuntu Quantal):
assignee: nobody → Tim Gardner (timg-tpi)
status: Confirmed → Fix Committed
Changed in linux (Ubuntu Lucid):
assignee: nobody → Tim Gardner (timg-tpi)
status: New → In Progress
Changed in ecryptfs-utils (Ubuntu Lucid):
status: New → Invalid
Colin Ian King (colin-king)
Changed in linux (Ubuntu Lucid):
status: In Progress → Fix Committed
Tim Gardner (timg-tpi)
Changed in linux (Ubuntu Quantal):
status: Fix Committed → Fix Released
Brad Figg (brad-figg)
tags: added: verification-needed-oneiric
tags: added: verification-needed-lucid
tags: added: verification-needed-natty
Revision history for this message
Luis Henriques (henrix) wrote :

This bug is awaiting verification that the kernel for Lucid in -proposed solves the problem (2.6.32-42.96). Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-lucid' to 'verification-done-lucid'.

If verification is not done by one week from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

Revision history for this message
Colin Ian King (colin-king) wrote :

Passed with ext2,ext3,ext4,xfs and btrfs lower file system, Linux ubuntu 2.6.32-42-server #96-Ubuntu SMP Wed Aug 15 19:52:20 UTC 2012 x86_64 GNU/Linux

sudo ./tests/run_tests.sh -K -c safe -b 1000000 -D /tmp/image -l /lower -u /upper -t lp-1009207.sh -f ext2,ext3,ext4,xfs,btrfs
Running eCryptfs filesystem tests on ext2
lp-1009207 pass
Running eCryptfs filesystem tests on ext3
lp-1009207 pass
Running eCryptfs filesystem tests on ext4
lp-1009207 pass
Running eCryptfs filesystem tests on xfs
lp-1009207 pass
Running eCryptfs filesystem tests on btrfs
lp-1009207 pass

Test Summary:
5 passed
0 failed

tags: added: verification-done-lucid
removed: verification-needed-lucid
Revision history for this message
Colin Ian King (colin-king) wrote :

Passed with ext2,ext3,ext4,xfs and btrfs lower file system, Linux ubuntu 2.6.38-15-server #66-Ubuntu SMP Tue Aug 14 17:42:23 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux

tags: added: verification-done-natty
removed: verification-needed-natty
Revision history for this message
Colin Ian King (colin-king) wrote :

Passed with ext2,ext3,ext4,xfs and btrfs lower file system, Linux ubuntu 3.0.0-25-server #41-Ubuntu SMP Mon Aug 13 18:18:27 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux

tags: added: verification-done-oneiric
removed: verification-needed-oneiric
Revision history for this message
Luis Henriques (henrix) wrote :

This bug is awaiting verification that the kernel for Precise in -proposed solves the problem (3.2.0-30.47). Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-precise' to 'verification-done-precise'.

If verification is not done by one week from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-precise
Revision history for this message
Colin Ian King (colin-king) wrote :

Passed with ext2,ext3,ext4,xfs and btrfs lower file system, Linux ubuntu 3.2.0-30-generic #47-Ubuntu SMP Wed Aug 15 19:30:10 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux

tags: added: verification-done-precise
removed: verification-needed-precise
Revision history for this message
Adam Conrad (adconrad) wrote : Update Released

The verification of this Stable Release Update has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 2.6.38-15.66

---------------
linux (2.6.38-15.66) natty-proposed; urgency=low

  [Luis Henriques]

  * Release Tracking Bug
    - LP: #1036250

  [ Upstream Kernel Changes ]

  * udf: Fortify loading of sparing table
    - LP: #1024497
    - CVE-2012-3400
  * udf: Avoid run away loop when partition table length is corrupted
    - LP: #1024497
    - CVE-2012-3400
  * eCryptfs: Gracefully refuse miscdev file ops on inherited/passed files
  * eCryptfs: Copy up POSIX ACL and read-only flags from lower mount
    - LP: #1009207
 -- Luis Henriques <email address hidden> Mon, 13 Aug 2012 16:23:51 +0100

Changed in linux (Ubuntu Natty):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (13.6 KiB)

This bug was fixed in the package linux - 3.2.0-30.48

---------------
linux (3.2.0-30.48) precise-proposed; urgency=low

  [Luis Henriques]

  * Release Tracking Bug
    - LP: #1041217

  [ Upstream Kernel Changes ]

  * mutex: Place lock in contended state after fastpath_lock failure
    - LP: #1041114

linux (3.2.0-30.47) precise-proposed; urgency=low

  [Luis Henriques]

  * Release Tracking Bug
    - LP: #1036581

  [ Andy Whitcroft ]

  * add support for generating binary device trees and install them in
    /lib/firmware
    - LP: #1030600
  * [Config] add dtb_file configuration for highbank
    - LP: #1030600

  [ Chris Van Hoof ]

  * SAUCE: dell-laptop: additional rfkill blacklist Dell XPS 13
    - LP: #1030957
  * [Config] Add cifs support to the nfs-modules list
    - LP: #1031398

  [ Daniel P. Berrange ]

  * SAUCE: (drop after 3.6) Forbid invocation of kexec_load() outside
    initial PID namespace
    - LP: #1034125

  [ Dann Frazier ]

  * [Config] Compile the rtc-pl031 driver builtin on the highbank kernel
    flavour
    - LP: #1035110

  [ Douglas Bagnall ]

  * SAUCE: Unlock the rc_dev lock when the raw device is missing
    - LP: #1015836

  [ Rob Herring ]

  * SAUCE: ARM: highbank: add soft power and reset key event handling
    - LP: #1033853
  * SAUCE: ARM: highbank: use writel_relaxed variant for pwr requests
    - LP: #1033853
  * SAUCE: ahci: un-staticize ahci_dev_classify
    - LP: #1033853
  * SAUCE: ahci_platform: add custom hard reset for Calxeda ahci ctrlr
    - LP: #1033853

  [ Stefan Bader ]

  * (pre-stable) KVM: VMX: Set CPU_BASED_RDPMC_EXITING for nested
    - LP: #1031090

  [ Tim Gardner ]

  * [Config] updateconfigs

  [ Upstream Kernel Changes ]

  * ideapad: generate valid key event only
    - LP: #1029834
  * mm: reduce the amount of work done when updating min_free_kbytes
    - LP: #1032640
  * mm: compaction: allow compaction to isolate dirty pages
    - LP: #1032640
  * mm: compaction: determine if dirty pages can be migrated without
    blocking within ->migratepage
    - LP: #1032640
  * mm: page allocator: do not call direct reclaim for THP allocations
    while compaction is deferred
    - LP: #1032640
  * mm: compaction: make isolate_lru_page() filter-aware again
    - LP: #1032640
  * mm: compaction: introduce sync-light migration for use by compaction
    - LP: #1032640
  * mm: vmscan: when reclaiming for compaction, ensure there are sufficient
    free pages available
    - LP: #1032640
  * mm: vmscan: do not OOM if aborting reclaim to start compaction
    - LP: #1032640
  * mm: vmscan: check if reclaim should really abort even if
    compaction_ready() is true for one zone
    - LP: #1032640
  * vmscan: promote shared file mapped pages
    - LP: #1032640
  * vmscan: activate executable pages after first usage
    - LP: #1032640
  * mm/vmscan.c: consider swap space when deciding whether to continue
    reclaim
    - LP: #1032640
  * mm: test PageSwapBacked in lumpy reclaim
    - LP: #1032640
  * mm: vmscan: convert global reclaim to per-memcg LRU lists
    - LP: #1032640
  * cpuset: mm: reduce large amounts of memory barrier related damage v3
    - LP: #1032640
  * mm/hugetlb: fix warni...

Changed in linux (Ubuntu Precise):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (8.0 KiB)

This bug was fixed in the package linux - 3.0.0-25.41

---------------
linux (3.0.0-25.41) oneiric-proposed; urgency=low

  [Luis Henriques]

  * Release Tracking Bug
    - LP: #1036178

  [ Andy Whitcroft ]

  * SAUCE: rds_ib_send() -- prevent local pings triggering BUG_ON()
    - LP: #1016299
    - CVE-2012-2372

  [ Douglas Bagnall ]

  * SAUCE: Unlock the rc_dev lock when the raw device is missing
    - LP: #1015836

  [ Upstream Kernel Changes ]

  * cifs: always update the inode cache with the results from a FIND_*
    - LP: #1031926
  * ntp: Fix STA_INS/DEL clearing bug
    - LP: #1031926
  * mm: fix lost kswapd wakeup in kswapd_stop()
    - LP: #1031926
  * MIPS: Properly align the .data..init_task section.
    - LP: #1031926
  * UBIFS: fix a bug in empty space fix-up
    - LP: #1031926
  * dm raid1: fix crash with mirror recovery and discard
    - LP: #1031926
  * mm/vmstat.c: cache align vm_stat
    - LP: #1031926
  * mm: memory hotplug: Check if pages are correctly reserved on a
    per-section basis
    - LP: #1031926
  * mm: reduce the amount of work done when updating min_free_kbytes
    - LP: #1031926
  * mm: vmscan: fix force-scanning small targets without swap
    - LP: #1031926
  * vmscan: clear ZONE_CONGESTED for zone with good watermark
    - LP: #1031926
  * vmscan: add shrink_slab tracepoints
    - LP: #1031926
  * vmscan: shrinker->nr updates race and go wrong
    - LP: #1031926
  * vmscan: reduce wind up shrinker->nr when shrinker can't do work
    - LP: #1031926
  * vmscan: limit direct reclaim for higher order allocations
    - LP: #1031926
  * vmscan: abort reclaim/compaction if compaction can proceed
    - LP: #1031926
  * mm: compaction: trivial clean up in acct_isolated()
    - LP: #1031926
  * mm: change isolate mode from #define to bitwise type
    - LP: #1031926
  * mm: compaction: make isolate_lru_page() filter-aware
    - LP: #1031926
  * mm: zone_reclaim: make isolate_lru_page() filter-aware
    - LP: #1031926
  * mm: migration: clean up unmap_and_move()
    - LP: #1031926
  * mm: compaction: allow compaction to isolate dirty pages
    - LP: #1031926
  * mm: compaction: determine if dirty pages can be migrated without
    blocking within ->migratepage
    - LP: #1031926
  * mm: page allocator: do not call direct reclaim for THP allocations
    while compaction is deferred
    - LP: #1031926
  * mm: compaction: make isolate_lru_page() filter-aware again
    - LP: #1031926
  * kswapd: avoid unnecessary rebalance after an unsuccessful balancing
    - LP: #1031926
  * kswapd: assign new_order and new_classzone_idx after wakeup in sleeping
    - LP: #1031926
  * mm: compaction: introduce sync-light migration for use by compaction
    - LP: #1031926
  * mm: vmscan: when reclaiming for compaction, ensure there are sufficient
    free pages available
    - LP: #1031926
  * mm: vmscan: do not OOM if aborting reclaim to start compaction
    - LP: #1031926
  * mm: vmscan: check if reclaim should really abort even if
    compaction_ready() is true for one zone
    - LP: #1031926
  * vmscan: promote shared file mapped pages
    - LP: #1031926
  * vmscan: activate executable pages after first usage
    - LP: #1031926
  *...

Read more...

Changed in linux (Ubuntu Oneiric):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 2.6.32-42.96

---------------
linux (2.6.32-42.96) lucid-proposed; urgency=low

  [Luis Henriques]

  * Release Tracking Bug
    - LP: #1036553

  [ Andy Whitcroft ]

  * SAUCE: rds_ib_send() -- prevent local pings triggering BUG_ON()
    - LP: #1016299
    - CVE-2012-2372

  [ Upstream Kernel Changes ]

  * udf: Fortify loading of sparing table
    - LP: #1024497
    - CVE-2012-3400
  * udf: Avoid run away loop when partition table length is corrupted
    - LP: #1024497
    - CVE-2012-3400
  * eCryptfs: Gracefully refuse miscdev file ops on inherited/passed files
    - LP: #994247
  * eCryptfs: Copy up POSIX ACL and read-only flags from lower mount
    - LP: #1009207
  * drm: integer overflow in drm_mode_dirtyfb_ioctl()
    - LP: #917838
    - CVE-2012-0044
 -- Luis Henriques <email address hidden> Tue, 14 Aug 2012 09:51:58 +0100

Changed in linux (Ubuntu Lucid):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.