DAC permissions not correctly enforced
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Fix Released
|
High
|
Kees Cook | ||
Hardy |
Fix Released
|
High
|
Kees Cook | ||
Intrepid |
Fix Released
|
High
|
Kees Cook | ||
ntfs-3g (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
Hardy |
Invalid
|
Undecided
|
Unassigned | ||
Intrepid |
Invalid
|
Undecided
|
Unassigned |
Bug Description
I seem to be able to get a privilege elevation when mounting an ntfs device in fstab. This is on Hardy Alpha with all updates installed to date (2008-02-08).
Take for example the /etc/fstab line:
UUID=3E7EA4A67E
If I mount this with mount /mnt/sda3 all looks fine. Doing ls -l /mnt shows as expected:
dr--r----- 1 aoakley aoakley 12288 2008-02-08 22:51 sda3
However there seem to be two security issues. Firstly if I log on as "aoakley", I am able to WRITE to this mount, even though the permissions are read-only. For example, when logged on as aoakley, echo "hello world" >/mnt/sda3/x.txt works!
Secondly, even when I log on as an entirely unrelated user who is NOT a member of the "aoakley" group, I can STILL write to this mount! For example, when logged on as guest (who is not a member of aoakley), echo "hello from guest" >/mnt/sda3/x.txt still works fine!
Am I significantly misunderstanding user/group permissions on mounted devices, or is this a bug?
description: | updated |
Changed in linux: | |
importance: | Undecided → High |
milestone: | none → ubuntu-8.04.1 |
status: | New → Triaged |
Changed in ntfs-3g: | |
status: | New → Confirmed |
Changed in linux: | |
assignee: | nobody → keescook |
Changed in linux: | |
milestone: | ubuntu-8.04.1 → none |
Changed in linux: | |
status: | Triaged → Fix Committed |
status: | Triaged → Fix Released |
I'm guessing this is the same problem as described in bug #198403 (now marked as duplicate of this).
In that case I can confirm this for Hardy Beta, fully updated as of postdate.
(See my bug report for some extra info and a screenshot of the process.)