Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 502538 (CVE-2014-2079) - x11-misc/xfe : directory masks ignored when root creates new files on Samba and NFS
Summary: x11-misc/xfe : directory masks ignored when root creates new files on Samba a...
Status: RESOLVED INVALID
Alias: CVE-2014-2079
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B4 [upstream]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-02-26 13:46 UTC by Agostino Sarubbo
Modified: 2016-11-12 13:46 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-02-26 13:46:58 UTC
From ${URL} :

Robert Rottscholl reported that when creating a new file via X File 
Explorer (xfe) on a Samba or NFS share, the user's mask was used for the 
permissions instead of that specified by the Samba or NFS configuration. 
Full details and patches are available from the following:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=739536

 From brief testing on Fedora with Samba and the "create mask" smb.conf 
option, this issue only presented when running xfe as the root user. The 
intended mask was used when running xfe as an unprivileged user. I don't 
the equivalent NFS option.


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Jeroen Roovers (RETIRED) gentoo-dev 2015-01-13 08:44:45 UTC
Debian has (of course) patched this behaviour out.
Red Hat has decided this is not a security issue.
Upstream shows no patches/issues related to these changes. So it's just Debian carrying the patch.

And the only thing Debian's patch changes is to add this check:
     if(getuid()>0)

when setting the umask. I don't think it's possible to determine what a safe UID would be in this case. >0 certainly isn't it.

Also note that at this point you're still running as root a graphical tool intended to manipulate and execute files. Anything could happen.
Comment 2 Aaron Bauman (RETIRED) gentoo-dev 2016-11-12 13:46:09 UTC
Per previous comments and the reports from various distributions this is not a security issue, but a policy issue on the proper use of root logins.