diff --git a/0008-client-disallow-unprivileged-users-to-escalate-root.patch b/0008-client-disallow-unprivileged-users-to-escalate-root.patch new file mode 100644 index 0000000000000000000000000000000000000000..740df92d7525abecea80022d22687c5fdf39ad92 --- /dev/null +++ b/0008-client-disallow-unprivileged-users-to-escalate-root.patch @@ -0,0 +1,85 @@ +From fb1b72d5cbfb285620a2ae632f1b4d75b8fb8336 Mon Sep 17 00:00:00 2001 +From: Xiubo Li +Date: Wed, 3 Apr 2024 19:02:08 +0800 +Subject: [PATCH] client: disallow unprivileged users to escalate root + privileges + +An unprivileged user can `chmod 777` a directory owned by root +and gain access. Fix this bug and also add a test case for the +same. + +Signed-off-by: Xiubo Li +Signed-off-by: Venky Shankar +--- + src/client/Client.cc | 24 ++++++++++++++---------- + src/test/libcephfs/suidsgid.cc | 10 ++++++++++ + 2 files changed, 24 insertions(+), 10 deletions(-) + +diff --git a/src/client/Client.cc b/src/client/Client.cc +index f1f70c1321d..eefcf555dc9 100644 +--- a/src/client/Client.cc ++++ b/src/client/Client.cc +@@ -6204,18 +6204,22 @@ int Client::may_setattr(const InodeRef& in, struct ceph_statx *stx, int mask, + } + + if (mask & CEPH_SETATTR_MODE) { ++ bool allowed = false; ++ /* ++ * Currently the kernel fuse and libfuse code is buggy and ++ * won't pass the ATTR_KILL_SUID/ATTR_KILL_SGID to ceph-fuse. ++ * But will just set the ATTR_MODE and at the same time by ++ * clearing the suid/sgid bits. ++ * ++ * Only allow unprivileged users to clear S_ISUID and S_ISUID. ++ */ ++ if ((in->mode & (S_ISUID | S_ISGID)) != (stx->stx_mode & (S_ISUID | S_ISGID)) && ++ (in->mode & ~(S_ISUID | S_ISGID)) == (stx->stx_mode & ~(S_ISUID | S_ISGID))) { ++ allowed = true; ++ } + uint32_t m = ~stx->stx_mode & in->mode; // mode bits removed + ldout(cct, 20) << __func__ << " " << *in << " = " << hex << m << dec << dendl; +- if (perms.uid() != 0 && perms.uid() != in->uid && +- /* +- * Currently the kernel fuse and libfuse code is buggy and +- * won't pass the ATTR_KILL_SUID/ATTR_KILL_SGID to ceph-fuse. +- * But will just set the ATTR_MODE and at the same time by +- * clearing the suid/sgid bits. +- * +- * Only allow unprivileged users to clear S_ISUID and S_ISUID. +- */ +- (m & ~(S_ISUID | S_ISGID))) ++ if (perms.uid() != 0 && perms.uid() != in->uid && !allowed) + goto out; + + gid_t i_gid = (mask & CEPH_SETATTR_GID) ? stx->stx_gid : in->gid; +diff --git a/src/test/libcephfs/suidsgid.cc b/src/test/libcephfs/suidsgid.cc +index 0802e8cb2b4..2ca38349a72 100644 +--- a/src/test/libcephfs/suidsgid.cc ++++ b/src/test/libcephfs/suidsgid.cc +@@ -134,6 +134,14 @@ void run_truncate_test_case(int mode, int result, size_t size, bool with_admin=f + ceph_close(_cmount, fd); + } + ++void run_change_mode_test_case() ++{ ++ char c_dir[1024]; ++ sprintf(c_dir, "/mode_test_%d", getpid()); ++ ASSERT_EQ(0, ceph_mkdirs(admin, c_dir, 0700)); ++ ASSERT_EQ(ceph_chmod(cmount, c_dir, 0777), -EPERM); ++} ++ + TEST(SuidsgidTest, WriteClearSetuid) { + ASSERT_EQ(0, ceph_create(&admin, NULL)); + ASSERT_EQ(0, ceph_conf_read_file(admin, NULL)); +@@ -206,6 +214,8 @@ TEST(SuidsgidTest, WriteClearSetuid) { + // 14, Truncate by unprivileged user clears the suid and sgid + run_truncate_test_case(06766, 0, 100); + ++ run_change_mode_test_case(); ++ + // clean up + ceph_shutdown(cmount); + ceph_shutdown(admin); +-- +2.47.1 + diff --git a/ceph.spec b/ceph.spec index 04e05337eb3964f8af424f127bb1de07932b3b5c..a2b2b44a4980daf820b5b597f4295cae48fc4d5a 100644 --- a/ceph.spec +++ b/ceph.spec @@ -174,7 +174,7 @@ ################################################################################# Name: ceph Version: 18.2.2 -Release: 8 +Release: 9 %if 0%{?fedora} || 0%{?rhel} || 0%{?openEuler} Epoch: 2 %endif @@ -199,6 +199,7 @@ Patch4: 0004-fix-mds-metadata-lost-in-one-case.patch Patch6: 0005-fix-lz4-not-found.patch Patch7: 0006-fix-CVE-2024-48916.patch Patch8: 0007-client-set-LIBMOUNT_FORCE_MOUNT2-always.patch +Patch9: 0008-client-disallow-unprivileged-users-to-escalate-root.patch %ifarch loongarch64 Patch5: 9001-add-supprot-for-loongarch64.patch @@ -2645,6 +2646,9 @@ exit 0 %{_datadir}/snmp/mibs %changelog +* Mon Jul 7 2025 lizhipeng - 2:18.2.2-9 +- fix CVE-2025-52555 + * Wed Jul 2 2025 lizhipeng - 2:18.2.2-8 - fix ceph-fuse mounting fail and coredump