Bug 248787

Summary: sysutils/openzfs incorrect permissions handling in openzfs port
Product: Ports & Packages Reporter: walker.aj325
Component: Individual Port(s)Assignee: Ryan Moeller <freqlabs>
Status: Closed FIXED    
Severity: Affects Many People Flags: bugzilla: maintainer-feedback? (freqlabs)
Priority: ---    
Version: Latest   
Hardware: Any   
OS: Any   

Description walker.aj325 2020-08-20 18:01:14 UTC 
There are two critical permissions-related vulnerabilities in the FreeBSD port of openzfs (not base ZFS):

Issue 1:
_________
Users are always granted permissions to cd into a directory.  The
check for whether execute is present on directories is a de-facto
no-op.  This cannot be mitigated without upgrading.  Even setting
an explicit "deny - execute" NFSv4 ACE will be bypassed.

Issue 2:
_________
All allow ACEs for the owner_group (group@) and regular groups
(group:<foo>) are granted to the current user.  This means that
POSIX mode 770 is de-facto 777, and the below ACL is also de-facto
777 because the groupmember check for builtin_administrators
returns True.

root@TESTBOX[~]# getfacl testfile
# file: testfile
# owner: root
# group: wheel
group:builtin_administrators:rwxpDdaARWcCos:-------:allow
Comment 1 Ryan Moeller freebsd_committer freebsd_triage 2020-08-20 18:02:40 UTC 
Fixed in 2020081800: https://reviews.freebsd.org/D26107
Comment 2 commit-hook freebsd_committer freebsd_triage 2020-08-20 18:13:26 UTC 
A commit references this bug:

Author: freqlabs
Date: Thu Aug 20 18:12:46 UTC 2020
New revision: 545543
URL: https://svnweb.freebsd.org/changeset/ports/545543

Log:
  security/vuxml: Document sysutils/openzfs-kmod issues

  PR:		248787
  Reported by:	Andrew Walker
  Reviewed by:	wg
  Approved by:	wg (ports)
  Sponsored by:	iXsystems, Inc.
  Differential Revision:	https://reviews.freebsd.org/D26121

Changes:
  head/security/vuxml/vuln.xml