Bug 441570

Summary:

Kernel: btrfs: creates world writable files

Product:

Gentoo Security

Reporter:

Raimonds Cicans <ray>

Component:

Kernel

Assignee:

Gentoo Kernel Security <security-kernel>

Status:

RESOLVED OBSOLETE

Severity:

normal

CC:

ray

Priority:

Normal

Version:

unspecified

Hardware:

All

OS:

Linux

URL:

https://bugzilla.kernel.org/show_bug.cgi?id=50861

Whiteboard:

[<3.8-rc1]

Package list:

Runtime testing required:

---

Attachments:

Description	Flags
emerge --info : affected system #1	none
emerge --info : affected system #2	none
emerge --info : not affected system	none
Test program in C: creates 1000000 empty files	none

Description Raimonds Cicans 2012-11-03 13:05:03 UTC

On 2 systems out of 3 file /usr/lib64/thunderbird/libxul.so from package  mail-client/thunderbird-10.0.9 have permissions 0777.

It looks previous versions of mail-client/thunderbird are not affected.

Comment 1 Raimonds Cicans 2012-11-03 13:07:05 UTC

Created attachment 328208 [details]
emerge --info : affected system #1

Comment 2 Raimonds Cicans 2012-11-03 13:07:36 UTC

Created attachment 328210 [details]
emerge --info : affected system #2

Comment 3 Raimonds Cicans 2012-11-03 13:08:12 UTC

Created attachment 328212 [details]
emerge --info : not affected system

Comment 4 Raimonds Cicans 2012-11-03 16:20:59 UTC

Same problem with www-client/firefox-10.0.9:/usr/lib64/firefox/libxul.so

Comment 5 Sean Amoss (RETIRED) gentoo-dev

2012-11-13 00:09:38 UTC

@mozilla, can you please look into this?

Comment 6 Ian Stakenvicius (RETIRED) gentoo-dev

2012-11-13 17:13:11 UTC

I can't reproduce it locally; libxul.so (and others) install with 0755

Is it possible that for some reason there's a non-standard umask on these affected systems?  Or something special with the filesystem (either in /var/tmp/portage or in /usr/lib64/[whatever] )?

Comment 7 Raimonds Cicans 2012-11-16 19:52:10 UTC

(In reply to comment #6)
> Is it possible that for some reason there's a non-standard umask on these
> affected systems?  Or something special with the filesystem (either in
> /var/tmp/portage or in /usr/lib64/[whatever] )?

Umask on all systems is 0022
$PORTAGE_TMPDIR on all systems reside on btrfs sub-volume with same permissions
/usr/lib64/[whatever] have same permissions on all systems

Comment 8 Raimonds Cicans 2012-11-16 19:55:02 UTC

Version 10.0.10 of thunderbird & firefox is also affected

Comment 9 Raimonds Cicans 2012-11-20 15:16:18 UTC

Created attachment 330086 [details]
Test program in C: creates 1000000 empty files

On one of affected systems i used tmpfs for $PORTAGE_TMPDIR instead of btrfs.
Thunderbird compiled without problems. 
So it looks problem is in btrfs.

I found one simple test case: when create large amount of empty files some files get world writable permissions.

To test this case I attached simple C program which create 1000000 empty files.
Short instructions:
gcc -O2 mkfiles.c
umask 0022
./a.out
find . -type f -perm -g+w | wc -l

Last command on non affected system should return 0.

Affected kernels:
3.4.2-hardened
3.5.4-hardened-r1
3.6.6-gentoo

What should I do next with this bug? Should I report this upstream?

Comment 10 Raimonds Cicans 2012-11-21 17:33:09 UTC

(In reply to comment #9)

Posted this bug on Linux kernel bugzilla:
https://bugzilla.kernel.org/show_bug.cgi?id=50861

Comment 11 Ian Stakenvicius (RETIRED) gentoo-dev

2012-11-21 17:35:54 UTC

(In reply to comment #10)
> (In reply to comment #9)
> 
> Posted this bug on Linux kernel bugzilla:
> https://bugzilla.kernel.org/show_bug.cgi?id=50861

Thanks for reporting upstream.  Since it is apparently not thunderbird related (just happens to be triggered by TB), un-CC'ing mozilla.

Comment 12 Aaron Bauman (RETIRED) gentoo-dev

2018-04-04 18:24:39 UTC

There are no longer any 2.x or <3.6.6 kernels available in the repository with the exception of sys-kernel/xbox-sources which is unsupported by security.