fusefrontend: -allow_other: set file mode *after* chown in Create()

rfjakob · rfjakob · commit b22cc03c7516 · 2019-01-08T21:50:10.000+01:00
Reported by @slackner at #327 : Possible race-conditions between file creation and Fchownat * Assume a system contains a gocryptfs mount as root user with -allow_other * As a regular user create a new file with mode containing the SUID flag and write access for other users * Before gocryptfs executes the Fchownat call, try to open the file again, write some exploit code to it, and try to run it. For a short time, the file is owned by root and has the SUID flag, so this is pretty dangerous.
diff --git a/internal/fusefrontend/fs.go b/internal/fusefrontend/fs.go
@@ -239,6 +239,14 @@ func (fs *FS) Create(path string, flags uint32, mode uint32, context *fuse.Conte
 		return nil, fuse.ToStatus(err)
 	}
 	defer syscall.Close(dirfd)
+	// Don't set full mode before we have set the correct owner. Files with SUID/SGID
+	// mode belonging to the wrong owner would be a security risk. Even for other
+	// modes, we don't want anyone else to open the file in the meantime: the fd would
+	// stay open and could later be used to read the file.
+	origMode := mode
+	if fs.args.PreserveOwner {
+		mode = 0000
+	}
 	fd := -1
 	// Handle long file name
 	if !fs.args.PlaintextNames && nametransform.IsLongContent(cName) {
@@ -253,7 +261,6 @@ func (fs *FS) Create(path string, flags uint32, mode uint32, context *fuse.Conte
 			nametransform.DeleteLongNameAt(dirfd, cName)
 			return nil, fuse.ToStatus(err)
 		}
-
 	} else {
 		// Create content, normal (short) file name
 		fd, err = syscallcompat.Openat(dirfd, cName, newFlags|syscall.O_CREAT|syscall.O_EXCL, mode)
@@ -271,7 +278,18 @@ func (fs *FS) Create(path string, flags uint32, mode uint32, context *fuse.Conte
 	if fs.args.PreserveOwner {
 		err = syscall.Fchown(fd, int(context.Owner.Uid), int(context.Owner.Gid))
 		if err != nil {
-			tlog.Warn.Printf("Create: Fchown() failed: %v", err)
+			tlog.Warn.Printf("Create %q: Fchown %d:%d failed: %v", cName, context.Owner.Uid, context.Owner.Gid, err)
+			// In case of a failure, we don't want to proceed setting more
+			// permissive modes.
+			syscall.Close(fd)
+			return nil, fuse.ToStatus(err)
+		}
+	}
+	// Set mode
+	if mode != origMode {
+		err = syscall.Fchmod(fd, origMode)
+		if err != nil {
+			tlog.Warn.Printf("Create %q: Fchmod %#o -> %#o failed: %v", cName, mode, origMode, err)
 		}
 	}
 	f := os.NewFile(uintptr(fd), cName)
