Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 11 Jul 2012 17:27:41 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Dustin Kirkland <dustin.kirkland@...zang.com>,
        Tyler Hicks <tyhicks@...onical.com>,
        Marcus Meissner <meissner@...e.de>,
        Dan Rosenberg <dan.j.rosenberg@...il.com>
Subject: Re: Re: ecryptfs headsup

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/11/2012 10:48 AM, Kurt Seifried wrote:
>> Hi Tyler, et al.-
> 
>> I don't have any objections at all with adding nosuid and nodev
>> to the hardcoded mount.ecryptfs_private options.
> 
>> Actually, I seem to recall this coming up recently before.  I 
>> can't find the bug or email thread (must have been IRC), but I 
>> recall offering to commit, test, and release that change 
>> immediately.  I believe I was asked to wait to do that until a
>> CVE had been published...  I can't find any record of that
>> conversation though, so that's just from memory.
> 
>> Shall I go ahead and commit/test/release that now, Tyler?
> 
> So it sounds like a non privileged user on an Ubuntu machine can 
> insert a USB stick/etc with a file system that gets automatically 
> mounted, said file system can contain setuid root binaries for
> example which the user can then execute, elevating privileges?

Please use CVE-2012-3409 for the ecryptfs mount.ecryptfs_private which
allows setuid and dev enabled filesystems, this affects multiple Linux
vendors.

Just to confirm: this only affects systems with a setuid
mount.ecryptfs_private?

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJP/gvtAAoJEBYNRVNeJnmTRdgP/3TJHs/zz066JsOQIvBCjWMM
hFGZjmDIjPdCbUtYioX/6aTR7NTUGdoLOlI9FwVVgBQhzEzdy/hoeD4fQKNje02a
JFOTg1v/PhlqYhEDZxgMLiaY5yv4uQeDZk+/ZlFfOGEQhRfZXtdB3o1u8U5L1u7f
Yo/ncDV+1+PCtPTtFQIp9/x//7mF2r0V5/ibvesCBmDicFmkLkmloBQFLdvlJeW5
muxhY1YYuu777CpWiYwY+59ZvqaeUODBUbGDwk5jQ0reDjwSafB8vz+DqKMbDlyT
HNYJXASGCdOlxMgM0ic7pR0q9eWYo6YzhCoBG7OM0c+2tqFqeNDAKNa+HKxZFPkj
1kQL4Rq+nx6l8gaPFNFu+Wj36ryUvN5HXVlVS3F2puoHdPM1kAwE9D59hwT27e8P
2UF1JFRLLnjWAk8MXRPMOXSDh3Gd05P8xw+2/032KJmSaROfujt2kz1/wCHhY0ai
gpc1oD4lf2SVC/9EM3vPx81MSYQWh1n+m8BqqT2TBGyZeSPXicW81QmPhyusJbp5
OMSBHy6gim2tSHZGK3+2HQNyB71vFDPyd78pa/mlCxcs5pkpR0uVTZHlwZvZclbB
GGarAoNXBFbp4g120FE/MQp74Zi+0xOkt3MdMbvN7OOSOJk3Bi949oii+TDDK/D2
P10aNjcPiGhwoo7CfsmY
=PPfw
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.