Re: Re: CVE Request for glusterfs: fuse check return value of setuid

[Seth Arnold <seth.arnold () canonical com>]

On Fri, Sep 04, 2015 at 08:42:10PM -0400, cve-assign () mitre org wrote:
> > https://bugzilla.redhat.com/show_bug.cgi?id=1254488
> > http://review.gluster.org/#/c/10780/
> > https://github.com/gluster/glusterfs/commit/b5ceb1a9de9af563b0f91e2a3138fa5a95cad9f6

>   - the only goal in calling setuid is to execute /bin/mount (or
>     /bin/umount) from a process with both an effective UID of 0 and a
>     real UID of 0. This is a requirement of the util-linux mount
>     program. See the "if we're really root and aren't running setuid"
>     comment in mount.c. Otherwise, for the types of mount usage in
>     question, mount would print "mount: only root can do that" and
>     exit.

This is an excellent analysis but does it hinge upon the util-linux "aren't
running suid" behaviour in mount? Does it matter that the busybox mount,
for example, doesn't appear to have this same requirement? I don't see
any corresponding code in:

http://sources.debian.net/src/busybox/1:1.22.0-15/util-linux/mount.c/

I'm certainly no busybox expert but nothing looks like a corresponding
uid == 0 && euid == 0 check. The call to sanitize_env_if_suid() even
suggests setuid execution is expected and anticipated.

Thanks

Attachment: signature.asc
Description: Digital signature