This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed- bionic' to 'verification-done-bionic'. If the problem still exists, change the tag 'verification-needed-bionic' to 'verification-failed- bionic'.
If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: verification-needed-bionic -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1793458 Title: Overlayfs in user namespace leaks directory content of inaccessible directories Status in linux package in Ubuntu: In Progress Status in linux source package in Bionic: Fix Committed Status in linux source package in Cosmic: Fix Committed Status in linux source package in Disco: In Progress Bug description: Summary: With a combination of overlayfs and user namespaces, regular users can see the content of directories that would otherwise be inaccessible to them because of directory permissions (e.g., all users can see content of "/root"). Details: For the exploit it is necessary to create user and mount namespaces and mount an overlayfs inside it. Ubuntu allows this for regular users. The lower dir of the overlay would be "/", and the upper dir an attacker-controlled temporary directory. If the attacker wants to see the content of "/root", they would create a directory "root" in the upper dir of the overlay. Overlays seems to get confused about the permissions, and instead of applying the restrictive permissions of "root" from the lower dir, it applies more relaxed restrictions of "root" from the upper dir, granting the attacker the possibility to list the directory contents of "/root". To reproduce, simply run the attached script as regular user. It will show the content of "/root", on my system the output is this: ``` /bin/ls: cannot access '/root/.cache': Permission denied /bin/ls: cannot access '/root/.bashrc': Permission denied /bin/ls: cannot access '/root/snap': Permission denied /bin/ls: cannot access '/root/.gnupg': Permission denied /bin/ls: cannot access '/root/.aptitude': Permission denied /bin/ls: cannot access '/root/.bash_history': Permission denied /bin/ls: cannot access '/root/.profile': Permission denied /bin/ls: cannot access '/root/.hplip': Permission denied total 8 drwxr-xr-x 1 nobody nogroup 4096 Sep 20 09:02 . drwxr-xr-x 1 nobody nogroup 4096 Sep 20 09:02 .. d????????? ? ? ? ? ? .aptitude -????????? ? ? ? ? ? .bash_history -????????? ? ? ? ? ? .bashrc d????????? ? ? ? ? ? .cache d????????? ? ? ? ? ? .gnupg d????????? ? ? ? ? ? .hplip -????????? ? ? ? ? ? .profile d????????? ? ? ? ? ? snap ``` The script also has some comments that explain the necessary steps in more details. I tested on Ubuntu 18.04 with Linux 4.15.0-34-generic, but the bug probably affects all Ubuntu versions of the last years. Other distributions and the vanilla kernel should not be affected because AFAIK only Ubuntu allows mounting of overlayfs inside user namespaces. But of course it would be good to apply a potential fix upstream. So far I did not succeed in doing more than leaking the directory content, but of course that is no guarantee that it is not possible to do worse things. ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: linux-image-4.15.0-34-generic 4.15.0-34.37 ProcVersionSignature: Ubuntu 4.15.0-34.37-generic 4.15.18 Uname: Linux 4.15.0-34-generic x86_64 ApportVersion: 2.20.9-0ubuntu7.3 Architecture: amd64 AudioDevicesInUse: USER PID ACCESS COMMAND /dev/snd/controlC1: wendler 3414 F.... pulseaudio /dev/snd/controlC0: wendler 3414 F.... pulseaudio CurrentDesktop: Unity:Unity7:ubuntu Date: Thu Sep 20 08:56:01 2018 HibernationDevice: RESUME=UUID=f9d1a1f9-50d2-4b7c-b7e4-66dc78d38062 InstallationDate: Installed on 2016-12-12 (646 days ago) InstallationMedia: Ubuntu 16.04.1 LTS "Xenial Xerus" - Release amd64 (20160719) MachineType: LENOVO 20FXS1B700 ProcFB: 0 inteldrmfb ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-4.15.0-34-generic root=/dev/mapper/ubuntu--vg-root ro quiet splash resume=/dev/mapper/ubuntu--vg-swap_1 swapaccount=1 RelatedPackageVersions: linux-restricted-modules-4.15.0-34-generic N/A linux-backports-modules-4.15.0-34-generic N/A linux-firmware 1.173.1 SourcePackage: linux UpgradeStatus: Upgraded to bionic on 2018-09-04 (15 days ago) dmi.bios.date: 09/26/2016 dmi.bios.vendor: LENOVO dmi.bios.version: R07ET71W (2.11 ) dmi.board.asset.tag: Not Available dmi.board.name: 20FXS1B700 dmi.board.vendor: LENOVO dmi.board.version: SDK0J40697 WIN dmi.chassis.asset.tag: No Asset Information dmi.chassis.type: 10 dmi.chassis.vendor: LENOVO dmi.chassis.version: None dmi.modalias: dmi:bvnLENOVO:bvrR07ET71W(2.11):bd09/26/2016:svnLENOVO:pn20FXS1B700:pvrThinkPadT460p:rvnLENOVO:rn20FXS1B700:rvrSDK0J40697WIN:cvnLENOVO:ct10:cvrNone: dmi.product.family: ThinkPad T460p dmi.product.name: 20FXS1B700 dmi.product.version: ThinkPad T460p dmi.sys.vendor: LENOVO To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1793458/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
