diff options
| author | Eric Biggers <ebiggers@google.com> | 2017-09-18 21:37:03 +0300 |
|---|---|---|
| committer | Ben Hutchings <ben@decadent.org.uk> | 2018-01-01 23:50:52 +0300 |
| commit | a0ff43031db9d248f659a5db3a819f5498203775 (patch) | |
| tree | 2c93eb6066ea635e2a4c59e4b2ee8b6387859f93 /include/linux/key.h | |
| parent | 0286cd9b50525d917de6f882fa6cbbe4190cf2d2 (diff) | |
| download | linux-a0ff43031db9d248f659a5db3a819f5498203775.tar.xz | |
KEYS: prevent creating a different user's keyrings
commit 237bbd29f7a049d310d907f4b2716a7feef9abf3 upstream.
It was possible for an unprivileged user to create the user and user
session keyrings for another user. For example:
sudo -u '#3000' sh -c 'keyctl add keyring _uid.4000 "" @u
keyctl add keyring _uid_ses.4000 "" @u
sleep 15' &
sleep 1
sudo -u '#4000' keyctl describe @u
sudo -u '#4000' keyctl describe @us
This is problematic because these "fake" keyrings won't have the right
permissions. In particular, the user who created them first will own
them and will have full access to them via the possessor permissions,
which can be used to compromise the security of a user's keys:
-4: alswrv-----v------------ 3000 0 keyring: _uid.4000
-5: alswrv-----v------------ 3000 0 keyring: _uid_ses.4000
Fix it by marking user and user session keyrings with a flag
KEY_FLAG_UID_KEYRING. Then, when searching for a user or user session
keyring by name, skip all keyrings that don't have the flag set.
Fixes: 69664cf16af4 ("keys: don't generate user and user session keyrings unless they're accessed")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Diffstat (limited to 'include/linux/key.h')
| -rw-r--r-- | include/linux/key.h | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/include/linux/key.h b/include/linux/key.h index 183a6af7715d..2c631b4c559e 100644 --- a/include/linux/key.h +++ b/include/linux/key.h @@ -155,6 +155,7 @@ struct key { #define KEY_FLAG_IN_QUOTA 3 /* set if key consumes quota */ #define KEY_FLAG_USER_CONSTRUCT 4 /* set if key is being constructed in userspace */ #define KEY_FLAG_NEGATIVE 5 /* set if key is negative */ +#define KEY_FLAG_UID_KEYRING 11 /* set if key is a user or user session keyring */ /* the description string * - this is used to match a key against search criteria @@ -196,6 +197,7 @@ extern struct key *key_alloc(struct key_type *type, #define KEY_ALLOC_IN_QUOTA 0x0000 /* add to quota, reject if would overrun */ #define KEY_ALLOC_QUOTA_OVERRUN 0x0001 /* add to quota, permit even if overrun */ #define KEY_ALLOC_NOT_IN_QUOTA 0x0002 /* not in quota */ +#define KEY_ALLOC_UID_KEYRING 0x0010 /* allocating a user or user session keyring */ extern void key_revoke(struct key *key); extern void key_put(struct key *key); |