Bug 248787 - sysutils/openzfs incorrect permissions handling in openzfs port
Summary: sysutils/openzfs incorrect permissions handling in openzfs port
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: Ryan Moeller
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-08-20 18:01 UTC by walker.aj325
Modified: 2020-08-20 18:13 UTC (History)
0 users

See Also:
bugzilla: maintainer-feedback? (freqlabs)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description walker.aj325 2020-08-20 18:01:14 UTC
There are two critical permissions-related vulnerabilities in the FreeBSD port of openzfs (not base ZFS):

Issue 1:
_________
Users are always granted permissions to cd into a directory.  The
check for whether execute is present on directories is a de-facto
no-op.  This cannot be mitigated without upgrading.  Even setting
an explicit "deny - execute" NFSv4 ACE will be bypassed.

Issue 2:
_________
All allow ACEs for the owner_group (group@) and regular groups
(group:<foo>) are granted to the current user.  This means that
POSIX mode 770 is de-facto 777, and the below ACL is also de-facto
777 because the groupmember check for builtin_administrators
returns True.

root@TESTBOX[~]# getfacl testfile
# file: testfile
# owner: root
# group: wheel
group:builtin_administrators:rwxpDdaARWcCos:-------:allow
Comment 1 Ryan Moeller freebsd_committer freebsd_triage 2020-08-20 18:02:40 UTC
Fixed in 2020081800: https://reviews.freebsd.org/D26107
Comment 2 commit-hook freebsd_committer freebsd_triage 2020-08-20 18:13:26 UTC
A commit references this bug:

Author: freqlabs
Date: Thu Aug 20 18:12:46 UTC 2020
New revision: 545543
URL: https://svnweb.freebsd.org/changeset/ports/545543

Log:
  security/vuxml: Document sysutils/openzfs-kmod issues

  PR:		248787
  Reported by:	Andrew Walker
  Reviewed by:	wg
  Approved by:	wg (ports)
  Sponsored by:	iXsystems, Inc.
  Differential Revision:	https://reviews.freebsd.org/D26121

Changes:
  head/security/vuxml/vuln.xml