From 396240cf070a806b91fea81131d034e1399af1e0 Mon Sep 17 00:00:00 2001 From: Benjamin Kaduk Date: Wed, 9 Mar 2016 19:30:20 -0600 Subject: [PATCH] OPENAFS-SA-2016-001 group creation by foreign users CVE-2016-2860: The ptserver permits foreign-cell users to create groups as if they were system:administrators. In particular, groups in the user namespace (with no colon) and the system: namespace can be created. No group quota is enforced for the creation of these groups, but they will be owned by system:administrators and cannot be changed by the user that created them. When processing requests from foreign users, the creator ID is overwritten with the ID of system:administrators, and that field is later used for access control checks in CorrectGroupName(), called from CreateEntry(). The access-control bypass is not possible for creating user entries, since there is an early check in CreateOK() that only permits administrators to create users, using a correct test for whether the call is being made by an administrator. FIXES 132822 [Based on a patch by Jeffrey Altman.] Change-Id: I77dcf4a2f7d9c770c805a649f2ddc6bee5f83389 --- src/ptserver/ptprocs.c | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/src/ptserver/ptprocs.c b/src/ptserver/ptprocs.c index ae1a562920..f9f48fc689 100644 --- a/src/ptserver/ptprocs.c +++ b/src/ptserver/ptprocs.c @@ -345,13 +345,19 @@ newEntry(struct rx_call *call, char aname[], afs_int32 flag, afs_int32 oid, * automatic id assignment. */ code = WhoIsThisWithName(call, tt, cid, cname); - if (code != 2) { /* 2 specifies that this is a foreign cell request */ - if (code) - ABORT_WITH(tt, PRPERM); - admin = IsAMemberOf(tt, *cid, SYSADMINID); - } else { - admin = ((!restricted && !strcmp(aname, cname))) || IsAMemberOf(tt, *cid, SYSADMINID); - oid = *cid = SYSADMINID; + if (code && code != 2) + ABORT_WITH(tt, PRPERM); + admin = IsAMemberOf(tt, *cid, SYSADMINID); + if (code == 2 /* foreign cell request */) { + if (!restricted && (strcmp(aname, cname) == 0)) { + /* can't autoregister while providing an owner id */ + if (oid != 0) + ABORT_WITH(tt, PRPERM); + + admin = 1; + oid = SYSADMINID; + *cid = SYSADMINID; + } } if (!CreateOK(tt, *cid, oid, flag, admin)) ABORT_WITH(tt, PRPERM);