• Eric Biggers's avatar
    KEYS: prevent creating a different user's keyrings · 237bbd29
    Eric Biggers authored
    It was possible for an unprivileged user to create the user and user
    session keyrings for another user.  For example:
    
        sudo -u '#3000' sh -c 'keyctl add keyring _uid.4000 "" @u
                               keyctl add keyring _uid_ses.4000 "" @u
                               sleep 15' &
        sleep 1
        sudo -u '#4000' keyctl describe @u
        sudo -u '#4000' keyctl describe @us
    
    This is problematic because these "fake" keyrings won't have the right
    permissions.  In particular, the user who created them first will own
    them and will have full access to them via the possessor permissions,
    which can be used to compromise the security of a user's keys:
    
        -4: alswrv-----v------------  3000     0 keyring: _uid.4000
        -5: alswrv-----v------------  3000     0 keyring: _uid_ses.4000
    
    Fix it by marking user and user session keyrings with a flag
    KEY_FLAG_UID_KEYRING.  Then, when searching for a user or user session
    keyring by name, skip all keyrings that don't have the flag set.
    
    Fixes: 69664cf1 ("keys: don't generate user and user session keyrings unless they're accessed")
    Cc: <stable@vger.kernel.org>	[v2.6.26+]
    Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
    Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
    237bbd29
process_keys.c 21.1 KB