** Tags added: patch -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1535150
Title: overlayfs over fuse should refuse copy_up of files if uid/gid not mapped Status in linux package in Ubuntu: Confirmed Status in linux source package in Trusty: Fix Released Status in linux source package in Vivid: Fix Released Status in linux source package in Wily: Fix Released Status in linux source package in Xenial: Confirmed Bug description: On Ubuntu Wily it is possible to place an USERNS overlayfs mount over a fuse mount. The fuse filesystem may contain SUID binaries, but those cannot be executed due to nosuid mount options. But when touching such an SUID binary via overlayfs mount, this will trigger copy_up including all file attributes, thus creating a real SUID binary on the disk. Sequence: * Mount fuse filesystem exposing one world writable SUID binary * Create USERNS * Mount overlayfs on top of fuse * open the SUID binary RDWR in overlayfs, thus triggering copy_up Afterwards the SUID binary can be invoked to gain root privileges. For additional information, test tool see http://www.halfdog.net/Security/2016/OverlayfsOverFusePrivilegeEscalation/ (InvitedOnly/3YD9ufze) and attached sharing policy. $ lsb_release -rd Description: Ubuntu 15.10 Release: 15.10 $ apt-cache policy linux-image-4.2.0-23-generic linux-image-4.2.0-23-generic: Installed: 4.2.0-23.28 Candidate: 4.2.0-23.28 Version table: *** 4.2.0-23.28 0 500 http://archive.ubuntu.com/ubuntu/ wily-updates/main amd64 Packages 500 http://archive.ubuntu.com/ubuntu/ wily-security/main amd64 Packages 100 /var/lib/dpkg/status To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1535150/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
