]>
Commit | Line | Data |
---|---|---|
55a56237 GKH |
1 | From dc6f55e9f8dac4b6479be67c5c9128ad37bb491f Mon Sep 17 00:00:00 2001 |
2 | From: NeilBrown <neilb@suse.de> | |
3 | Date: Tue, 25 Oct 2011 10:25:49 +1100 | |
4 | Subject: NFS/sunrpc: don't use a credential with extra groups. | |
5 | ||
6 | From: NeilBrown <neilb@suse.de> | |
7 | ||
8 | commit dc6f55e9f8dac4b6479be67c5c9128ad37bb491f upstream. | |
9 | ||
10 | The sunrpc layer keeps a cache of recently used credentials and | |
11 | 'unx_match' is used to find the credential which matches the current | |
12 | process. | |
13 | ||
14 | However unx_match allows a match when the cached credential has extra | |
15 | groups at the end of uc_gids list which are not in the process group list. | |
16 | ||
17 | So if a process with a list of (say) 4 group accesses a file and gains | |
18 | access because of the last group in the list, then another process | |
19 | with the same uid and gid, and a gid list being the first tree of the | |
20 | gids of the original process tries to access the file, it will be | |
21 | granted access even though it shouldn't as the wrong rpc credential | |
22 | will be used. | |
23 | ||
24 | Signed-off-by: NeilBrown <neilb@suse.de> | |
25 | Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com> | |
26 | Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> | |
27 | ||
28 | --- | |
29 | net/sunrpc/auth_unix.c | 3 +++ | |
30 | 1 file changed, 3 insertions(+) | |
31 | ||
32 | --- a/net/sunrpc/auth_unix.c | |
33 | +++ b/net/sunrpc/auth_unix.c | |
34 | @@ -129,6 +129,9 @@ unx_match(struct auth_cred *acred, struc | |
35 | for (i = 0; i < groups ; i++) | |
36 | if (cred->uc_gids[i] != GROUP_AT(acred->group_info, i)) | |
37 | return 0; | |
38 | + if (groups < NFS_NGROUPS && | |
39 | + cred->uc_gids[groups] != NOGROUP) | |
40 | + return 0; | |
41 | return 1; | |
42 | } | |
43 |