[Bugs] [Bug 1254488] New: fuse: check return value of setuid
bugzilla at redhat.com
bugzilla at redhat.com
Tue Aug 18 08:57:13 UTC 2015
https://bugzilla.redhat.com/show_bug.cgi?id=1254488
Bug ID: 1254488
Summary: fuse: check return value of setuid
Product: Red Hat Gluster Storage
Version: 3.1
Component: glusterfs-fuse
Assignee: rhs-bugs at redhat.com
Reporter: vagarwal at redhat.com
QA Contact: storage-qa-internal at redhat.com
CC: aavati at redhat.com, bugs at gluster.org, csaba at redhat.com,
gluster-bugs at redhat.com, ndevos at redhat.com,
nlevinki at redhat.com, prasanna.kalever at redhat.com
Depends On: 1221490
+++ This bug was initially created as a clone of Bug #1221490 +++
Description of problem:
setuid() sets the effective user ID of the calling process. If the effective
UID of the caller is root, the real UID and saved set-user-ID are also set.
On success, zero is returned. On error, -1 is returned, and errno is set
appropriately.
Note: there are cases where setuid() can fail even when the caller is UID 0; it
is a grave security error to omit checking for a failure return from setuid().
if an environment limits the number of processes a user can have, setuid()
might fail if the target uid already is at the limit.
Version-Release number of selected component (if applicable):
mainline
--- Additional comment from Anand Avati on 2015-05-14 04:53:38 EDT ---
REVIEW: http://review.gluster.org/10780 (fuse: fix return value check for
setuid) posted (#1) for review on master by Prasanna Kumar Kalever
--- Additional comment from Anand Avati on 2015-05-14 05:08:10 EDT ---
REVIEW: http://review.gluster.org/10780 (fuse: fix return value check for
setuid) posted (#2) for review on master by Prasanna Kumar Kalever
--- Additional comment from Niels de Vos on 2015-05-15 14:24:51 EDT ---
Assigning the bug to the owner of the patch, and moving the status to POST.
Please do so for your own patches next time.
--- Additional comment from Anand Avati on 2015-05-15 15:26:59 EDT ---
REVIEW: http://review.gluster.org/10780 (fuse: fix return value check for
setuid) posted (#3) for review on master by Prasanna Kumar Kalever
--- Additional comment from Anand Avati on 2015-05-16 03:19:20 EDT ---
COMMIT: http://review.gluster.org/10780 committed in master by Niels de Vos
(ndevos at redhat.com)
------
commit b5ceb1a9de9af563b0f91e2a3138fa5a95cad9f6
Author: Prasanna Kumar Kalever <prasanna.kalever at redhat.com>
Date: Thu May 14 12:10:01 2015 +0530
fuse: fix return value check for setuid
setuid() sets the effective user ID of the calling process. If the
effective UID of the caller is root, the real UID and saved set-user-ID
are also set. On success, zero is returned. On error, -1 is returned,
and errno is set appropriately.
there are cases where setuid() can fail even when the caller is UID 0;
it is a grave security error to omit checking for a failure return from
setuid(). if an environment limits the number of processes a user can
have, setuid() might fail if the target uid already is at the limit.
Fix is to check return value of setuid.
Change-Id: I7aa5ab5e347603c69dc93188417cc4f4c81ffc75
BUG: 1221490
Signed-off-by: Prasanna Kumar Kalever <prasanna.kalever at redhat.com>
Reviewed-on: http://review.gluster.org/10780
Reviewed-by: Prasanna Kumar Kalever
Tested-by: Prasanna Kumar Kalever
Reviewed-by: Niels de Vos <ndevos at redhat.com>
Tested-by: Gluster Build System <jenkins at build.gluster.com>
Reviewed-by: Gaurav Kumar Garg <ggarg at redhat.com>
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1221490
[Bug 1221490] fuse: check return value of setuid
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=DA9urT1aOK&a=cc_unsubscribe
More information about the Bugs
mailing list