Debian Bug report logs - #310757
davfs2: doesn't enforce permissions

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Andrew Pimlott <andrew@pimlott.net>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: davfs2: doesn't enforce permissions

Date: Wed, 25 May 2005 11:51:10 -0700

Package: davfs2
Version: 0.2.3-2
Severity: grave
Tags: security
Justification: user security hole

It appears that davfs2 does not enforce unix permissions.  I just
mounted a DAV share as root.  When I list permissions in the root of the
mount, I see

    % ls -ld .
    drwxr-xr-x  1 root root 512 2005-05-25 11:43 .
    % ls -l   
    total 950
    -rwxr-xr-x  0 root root      6 2005-05-25 11:43 file
    drwxr-xr-x  1 root root    512 2005-05-10 05:18 dir

However, as a regular user, I can create and modify files with no
restrictions.  For example "touch foo" and "echo hello > file" both work
fine.  I also tried mounting with mode=0700, and nothing changed, not
even the permissions displayed.  So it appears that there is no way to
restrict access to the mounted DAV share.

Also, on a possibly related note, I see that if I create a file with
"touch foo", foo has the permissions

    -rw-rw-r--  0 root root      0 2005-05-25 11:48 foo

However, if I unmount and remount, then the permissions revent to

    -rwxr-xr-x  0 root root      0 2005-05-25 11:48 foo

Andrew

-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.8-2-686
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

Versions of packages davfs2 depends on:
ii  libc6                      2.3.2.ds1-22  GNU C Library: Shared libraries an
ii  libneon24                  0.24.7.dfsg-2 An HTTP and WebDAV client library
ii  libssl0.9.7                0.9.7g-1      SSL shared libraries
ii  libxml2                    2.6.16-7      GNOME XML library
ii  zlib1g                     1:1.2.2-4     compression library - runtime

-- no debconf information

Message #12 received at 310757-forwarded@bugs.debian.org (full text, mbox, reply):

From: martin f krafft <madduck@debian.org>

To: Sung Kim <hunkim@cs.ucsc.edu>, Robert Spier <robrt@users.sourceforge.net>

Cc: 310757-forwarded@bugs.debian.org

Subject: Fwd: davfs2: doesn't enforce permissions

Date: Wed, 25 May 2005 21:33:40 +0200

[Message part 1 (text/plain, inline)]

tags 310757 + upstream
thanks

This just came in to the Debian bug tracking system. If you ask me,
the bug is justified. davfs2 should provide a filesystem which
enforces Unix permissions. Thus, a file should only be accessible if
the DAV server thinks so *and* the local permissions are set
accordingly.

As we are very close to a Debian stable release, I think we will
have to remove davfs2 from Debian unless we manage to fix this
before the weekend. What do you guys think?

----- Forwarded message from Andrew Pimlott <andrew@pimlott.net> -----

Date: Wed, 25 May 2005 11:51:10 -0700
From: Andrew Pimlott <andrew@pimlott.net>
Subject: davfs2: doesn't enforce permissions

Package: davfs2
Version: 0.2.3-2
Severity: grave
Tags: security
Justification: user security hole

It appears that davfs2 does not enforce unix permissions.  I just
mounted a DAV share as root.  When I list permissions in the root of the
mount, I see

    % ls -ld .
    drwxr-xr-x  1 root root 512 2005-05-25 11:43 .
    % ls -l   
    total 950
    -rwxr-xr-x  0 root root      6 2005-05-25 11:43 file
    drwxr-xr-x  1 root root    512 2005-05-10 05:18 dir

However, as a regular user, I can create and modify files with no
restrictions.  For example "touch foo" and "echo hello > file" both work
fine.  I also tried mounting with mode=0700, and nothing changed, not
even the permissions displayed.  So it appears that there is no way to
restrict access to the mounted DAV share.

Also, on a possibly related note, I see that if I create a file with
"touch foo", foo has the permissions

    -rw-rw-r--  0 root root      0 2005-05-25 11:48 foo

However, if I unmount and remount, then the permissions revent to

    -rwxr-xr-x  0 root root      0 2005-05-25 11:48 foo

Andrew

-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.8-2-686
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

Versions of packages davfs2 depends on:
ii  libc6                      2.3.2.ds1-22  GNU C Library: Shared libraries an
ii  libneon24                  0.24.7.dfsg-2 An HTTP and WebDAV client library
ii  libssl0.9.7                0.9.7g-1      SSL shared libraries
ii  libxml2                    2.6.16-7      GNOME XML library
ii  zlib1g                     1:1.2.2-4     compression library - runtime

-- no debconf information



----- End forwarded message -----

-- 
 .''`.     martin f. krafft <madduck@debian.org>
: :'  :    proud Debian developer, admin, user, and author
`. `'`
  `-  Debian - when you have better things to do than fixing a system
 
Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver!
 
"those who are faithful know only the trivial side of love:
 it is the faithless who know love's tragedies."
                                                        -- oscar wilde

[signature.asc (application/pgp-signature, inline)]

Message #17 received at 310757@bugs.debian.org (full text, mbox, reply):

From: martin f krafft <madduck@debian.org>

To: 310757@bugs.debian.org

Subject: more info

Date: Wed, 25 May 2005 23:17:18 +0200

[Message part 1 (text/plain, inline)]

This in from Roger Leigh:

22:07 < rleigh> madduck: Re davfs2: Check src/webdav.c, line 480.  Looks like 
          executable perms are enforced, but I may be wrong (I don't know the 
          interrelationship of libneon and CODA and dafvs).  auth(), line 145 
          also looks suspect.  Generally, the code has a FIXMEs, and it looks 
          like it is responsible for handling VFS operations.  If this is 
          correct, it's not doing a very good job.
22:11 < rleigh> (chmod is blank!)
22:18 < rleigh> madduck: I'll review it some more (I've just found the mount 
          option handling), but IMHO it's broken.
23:15 < rleigh> madduck: Just for the record: the only trace of uid/gid/mode 
          handling is in src/util.c, dav_(set|get)_fstat_default().  This is 
          used by src/davfsd.c in set_mkdir_attr and coda_open (via 
          src/webdav.c in dav_stat()).  The upshot is the uid/gid are set to 
          those provided.  The mode handling looks like it might be suspect, 
          and I don't see any permissions checking [perhaps it's supposed to be 
          in kernelspace].  I also saw at least one leak.

-- 
 .''`.     martin f. krafft <madduck@debian.org>
: :'  :    proud Debian developer, admin, user, and author
`. `'`
  `-  Debian - when you have better things to do than fixing a system
 
Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver!
 
"perhaps debian is concerned more about technical excellence rather
 than ease of use by breaking software. in the former we may excel.
 in the latter we have to concede the field to microsoft. guess
 where i want to go today?"
                                                 -- manoj srivastava

[signature.asc (application/pgp-signature, inline)]

Message #22 received at 310757@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: 310757@bugs.debian.org

Subject: There are file systems without POSIX semantics

Date: Thu, 26 May 2005 01:09:57 +0200

Hi,
Disclaimer: I don't know davfs2 and I don't use. But I disgree that every
file system should implement POSIX access semantics. There are production
class systems that don't, e.g. the Andrew file system. And as Coda, which
according to the package description is used as the backend, is a
descandant of AFS this may very well be in order.

Cheers,
        Moritz

Message #25 received at 310757@bugs.debian.org (full text, mbox, reply):

From: martin f krafft <madduck@debian.org>

To: Moritz Muehlenhoff <jmm@inutil.org>, 310757@bugs.debian.org

Subject: Re: Bug#310757: There are file systems without POSIX semantics

Date: Thu, 26 May 2005 02:40:19 +0200

[Message part 1 (text/plain, inline)]

also sprach Moritz Muehlenhoff <jmm@inutil.org> [2005.05.26.0109 +0200]:
> Disclaimer: I don't know davfs2 and I don't use. But I disgree
> that every file system should implement POSIX access semantics.
> There are production class systems that don't, e.g. the Andrew
> file system. And as Coda, which according to the package
> description is used as the backend, is a descandant of AFS this
> may very well be in order.

Thanks for this valuable information.

One way to secure a davfs2 mount is to enclose the mount point in
a directory that can only be accessed by the authorised people.
However, this still gives everyone write access, even if some should
only have read access.

DAV does implement a fine-grained set of permissions. However,
a davfs2 resource is mounted with a single username and password.
Essentially, thus, mounting a DAV resource on a publicly accessible
place (e.g. /mnt) has the same effect as distributing the username
and password to each user with access to the system. And *this*
would be a security problem. :)

How does AFS/Coda work wrt this? I cannot imagine that every user of
a system with AFS mounts has unconditional read and write access to
those resources...

-- 
 .''`.     martin f. krafft <madduck@debian.org>
: :'  :    proud Debian developer, admin, user, and author
`. `'`
  `-  Debian - when you have better things to do than fixing a system
 
Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver!
 
"for art to exist, for any sort of aesthetic activity or perception to
 exist, a certain physiological precondition is indispensable:
 intoxication."
                                                -- friedrich nietzsche

[signature.asc (application/pgp-signature, inline)]

Message #30 received at 310757@bugs.debian.org (full text, mbox, reply):

From: Steve Langasek <vorlon@debian.org>

To: martin f krafft <madduck@debian.org>, 310757@bugs.debian.org

Cc: Moritz Muehlenhoff <jmm@inutil.org>

Subject: Re: Bug#310757: There are file systems without POSIX semantics

Date: Wed, 25 May 2005 18:51:23 -0700

[Message part 1 (text/plain, inline)]

On Thu, May 26, 2005 at 02:40:19AM +0200, martin f krafft wrote:
> also sprach Moritz Muehlenhoff <jmm@inutil.org> [2005.05.26.0109 +0200]:
> > Disclaimer: I don't know davfs2 and I don't use. But I disgree
> > that every file system should implement POSIX access semantics.
> > There are production class systems that don't, e.g. the Andrew
> > file system. And as Coda, which according to the package
> > description is used as the backend, is a descandant of AFS this
> > may very well be in order.

> Thanks for this valuable information.

> One way to secure a davfs2 mount is to enclose the mount point in
> a directory that can only be accessed by the authorised people.
> However, this still gives everyone write access, even if some should
> only have read access.

> DAV does implement a fine-grained set of permissions. However,
> a davfs2 resource is mounted with a single username and password.
> Essentially, thus, mounting a DAV resource on a publicly accessible
> place (e.g. /mnt) has the same effect as distributing the username
> and password to each user with access to the system. And *this*
> would be a security problem. :)

> How does AFS/Coda work wrt this? I cannot imagine that every user of
> a system with AFS mounts has unconditional read and write access to
> those resources...

Quite the contrary; most AFS shares are mounted using Kerberos, such that
only processes with the necessary Kerberos ticket (or rather, AFS token,
which is acquired using the Kerberos ticket) can access the files.

-- 
Steve Langasek
postmodern programmer

[signature.asc (application/pgp-signature, inline)]

Message #35 received at 310757@bugs.debian.org (full text, mbox, reply):

From: gary ng <garyng2000@yahoo.com>

To: 310757@bugs.debian.org

Subject: Re: There are file systems without POSIX semantics

Date: Wed, 25 May 2005 23:12:04 -0700 (PDT)

Forgive me ignorance. Would the same situation happens
in say SMB/CIFS ? To the server, the authentication
would still be whoever mount it from the client side. 

I don't think this is a bug(if it is at all) worth RC status.


		
__________________________________ 
Do you Yahoo!? 
Make Yahoo! your home page 
http://www.yahoo.com/r/hs

Message #40 received at 310757@bugs.debian.org (full text, mbox, reply):

From: Steve Langasek <vorlon@debian.org>

To: gary ng <garyng2000@yahoo.com>, 310757@bugs.debian.org

Subject: Re: Bug#310757: There are file systems without POSIX semantics

Date: Wed, 25 May 2005 23:46:28 -0700

[Message part 1 (text/plain, inline)]

On Wed, May 25, 2005 at 11:12:04PM -0700, gary ng wrote:
> Forgive me ignorance. Would the same situation happens
> in say SMB/CIFS ? To the server, the authentication
> would still be whoever mount it from the client side. 

> I don't think this is a bug(if it is at all) worth RC status.

SMB/CIFS mounts honor the uid, gid, fmask, dmask mount options which
restrict who is allowed to access files/directories under the mountpoint.

Having support for not exposing the entire mount point to access by
arbitrary users on the system really is a rather basic requirement, and
davfs is the only filesystem type I've heard of which doesn't support this
correctly in one form or another.

-- 
Steve Langasek
postmodern programmer

[signature.asc (application/pgp-signature, inline)]

Message #43 received at 310757@bugs.debian.org (full text, mbox, reply):

From: martin f krafft <madduck@debian.org>

To: gary ng <garyng2000@yahoo.com>, 310757@bugs.debian.org

Subject: Re: Bug#310757: There are file systems without POSIX semantics

Date: Thu, 26 May 2005 08:50:31 +0200

[Message part 1 (text/plain, inline)]

also sprach gary ng <garyng2000@yahoo.com> [2005.05.26.0812 +0200]:
> Forgive me ignorance. Would the same situation happens
> in say SMB/CIFS ? To the server, the authentication
> would still be whoever mount it from the client side. 

If I mount a SMB/CIFS share with umask 0700, nobody but myself can
enter the mounted hierarchy, or read/write files therein.

-- 
 .''`.     martin f. krafft <madduck@debian.org>
: :'  :    proud Debian developer, admin, user, and author
`. `'`
  `-  Debian - when you have better things to do than fixing a system
 
Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver!
 
"alles sollte so einfach, wie möglich gemacht sein,
 aber nicht einfacher."
                                                    -- albert einstein

[signature.asc (application/pgp-signature, inline)]

Message #48 received at 310757@bugs.debian.org (full text, mbox, reply):

From: Roger Leigh <rleigh@whinlatter.ukfsn.org>

To: martin f krafft <madduck@debian.org>

Cc: 310757@bugs.debian.org, Luciano Bello <luciano@linux.org.ar>

Subject: Re: davfs2: doesn't enforce permissions

Date: Sat, 28 May 2005 13:20:19 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

martin f krafft <madduck@debian.org> writes:

> also sprach Roger Leigh <rleigh@whinlatter.ukfsn.org> [2005.05.28.1208 +0200]:
>> If the security problems in the package can't be resolved soon, please
>> could you request removal from sid in addition to removal from sarge?
>
> Why? If you think this is necessary, please file the bug against
> ftp.debian.org yourself.

I don't want to do that without the maintainer's consent.  If the
package has severe security issues that won't be fixed in the
short-term, do we really want this in Debian?


- -- 
Roger Leigh
                Printing on GNU/Linux?  http://gimp-print.sourceforge.net/
                Debian GNU/Linux        http://www.debian.org/
                GPG Public Key: 0x25BFB848.  Please sign and encrypt your mail.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Processed by Mailcrypt 3.5.8 <http://mailcrypt.sourceforge.net/>

iD8DBQFCmGHsVcFcaSW/uEgRAooyAKCm4Zs+qIY0qhhnzHlQDzPUT3ONvQCgsxXl
T7r0o5vg9sosFEljIIMQZz4=
=uS+v
-----END PGP SIGNATURE-----

Message #51 received at 310757@bugs.debian.org (full text, mbox, reply):

From: martin f krafft <madduck@debian.org>

To: Roger Leigh <rleigh@whinlatter.ukfsn.org>

Cc: 310757@bugs.debian.org, Luciano Bello <luciano@linux.org.ar>

Subject: Re: davfs2: doesn't enforce permissions

Date: Sat, 28 May 2005 17:00:03 +0200

[Message part 1 (text/plain, inline)]

also sprach Roger Leigh <rleigh@whinlatter.ukfsn.org> [2005.05.28.1420 +0200]:
> I don't want to do that without the maintainer's consent.  If the
> package has severe security issues that won't be fixed in the
> short-term, do we really want this in Debian?

It is only Debian *unstable*, but before I come across as
authoritative figure... I honestly do not know what to think of your
proposal. I think we might want to take this to debian-security.
Then again, I am not going to oppose if you file this bug. But
please do understand that I am not going to instigate your idea for
you.

-- 
 .''`.     martin f. krafft <madduck@debian.org>
: :'  :    proud Debian developer, admin, user, and author
`. `'`
  `-  Debian - when you have better things to do than fixing a system
 
Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver!
 
"geld ist das brecheisen der macht."
                                                 - friedrich nietzsche

[signature.asc (application/pgp-signature, inline)]

Message #56 received at 310757@bugs.debian.org (full text, mbox, reply):

From: Werner Baumann <werner.baumann@onlinehome.de>

To: 310757@bugs.debian.org

Cc: luciano@linux.org.ar

Subject: Re: davfs2: doesn't enforce permissions

Date: Sat, 04 Jun 2005 15:03:03 +0200

[Message part 1 (text/plain, inline)]

Hello,

I have done a quick and brutal fix to this. Patch file is attached.

The fix:
- terminate, if run setuid. So only root can mount. Reason: davfs2 does 
not enforce mount control by fstab. So if run setuid, any user could 
mount with the uid of any other user.
- set uid and gid according to the values given as option. Set file mode 
600 and directory mode 700. Only root and the user given as option may 
use the file system.
- do not allow to change uid, gid and mode of any part of the mounted 
file system.
- for every request (coda upcall) the requesting uid is checked against 
the uid of the file system.

Rationale:
Checking is more restrictive than necessary. But this way it could be 
done with little effort. I also think that a more sophisticated checking 
of permissions should be done together with the redisign of other parts 
of davfs2.

Greetings
Werner

[davfs2-0.2.3-permissioncheck.diff (text/plain, inline)]

diff -Naur davfs2-0.2.3.orig/ChangeLog davfs2-0.2.3/ChangeLog
--- davfs2-0.2.3.orig/ChangeLog	2005-06-03 21:03:13.000000000 +0200
+++ davfs2-0.2.3/ChangeLog	2005-06-04 13:53:20.000000000 +0200
@@ -1,5 +1,14 @@
 ChangeLog for Davfs2
 
+2005-06-03 Werner Baumann
+    security fix (quick and brutal) concerning file access:
+    davfsd.c, util.c, util.h, webdav.c:
+        * set filemode to 0600 and dirmode to 0700
+        * don't allow change of uid, gid or mode
+        * check every coda upcoll for permissions:
+          access is only allowed from owner and root
+        * terminate if run setuid
+
 2004-11-01 Robert Spier
 	* Seems like a good time for 0.2.3
 	* Changes in the past 11 months include...
diff -Naur davfs2-0.2.3.orig/README davfs2-0.2.3/README
--- davfs2-0.2.3.orig/README	2005-06-03 21:03:13.000000000 +0200
+++ davfs2-0.2.3/README	2005-06-04 13:51:52.000000000 +0200
@@ -53,7 +53,14 @@
    - Use umount for unmount
    - example : umount /dav
 
-4. Debugging
+4. User mount
+   - For security reasons only root may mount. mount.davfs must not be run setuid.
+   
+5. File permissions:
+   - Permissions are set to 600 (700 for directories).
+     It is not possible to change uid, gid or mode.
+
+6. Debugging
    - mount.davfs will not run as a daemon mode.
    - configure with --with-debug option
    - Coda debug log goes out stdout
@@ -61,9 +68,9 @@
    - To save log :  ./mount.davfs http://127.0.0.1/repos/ /dav > coda.log 2>webdav.log
    - To kill all running mount.davfs, do 'killall mount.davfs'
 
-5. For more information : http://dav.sf.net
+7. For more information : http://dav.sf.net
 
-6.  Participation
+8.  Participation
   DAVFS is an Open Source project, and we welcome your participation.
   Please join developer mailing list dav-linuxfs@lists.sf.net
   For cvs commit info, join dav-checkins@lists.sf.net
diff -Naur davfs2-0.2.3.orig/src/davfsd.c davfs2-0.2.3/src/davfsd.c
--- davfs2-0.2.3.orig/src/davfsd.c	2005-06-03 21:03:13.000000000 +0200
+++ davfs2-0.2.3/src/davfsd.c	2005-06-04 13:42:46.000000000 +0200
@@ -68,82 +68,20 @@
 
 static int count = 0;
 
-/* default stat */
-struct stat generic_stat = { 0 /* dev */ , 0 /* pad */ ,
-			     0 /* inode */ , S_IFREG | 0666 /* mode */ ,
-			     0, 0, /* uid, gid */ 0 /* device */ , 0 /* pad */ ,
-			     0 /* size */ , 1024 /* blksize */
-};				/* rest are 0 */
-
-/* Mkdir and Create need to return attr to kernel */
-static void set_mkdir_attr(struct coda_vattr *attr) {
-    struct stat stat;
-
-    /* Get default mode */
-    dav_get_fstat_default(&stat);
-
-    attr->va_type = C_VDIR;
- 
-    /* FIXME: Mode?? */
-    attr->va_mode = stat.st_mode | S_IXUSR;
-    IFTOCDT(attr->va_mode);
-    attr->va_mode |= CDT_DIR;
- 
-    attr->va_uid = stat.st_uid;
-    attr->va_gid = stat.st_gid;
+struct stat dav_file_stat;
+struct stat dav_dir_stat;
 
-    attr->va_size = 512;
-    attr->va_blocksize = 1;
-}
-
-
-/* Mkdir and Create need to return attr to kernel */
-static void set_create_attr(struct coda_vattr *attr) {
-#if 0
-    struct stat stat;
-
-    /* Get default mode */
-    dav_get_fstat_default(&stat);
-    
-    attr->va_mode = stat.st_mode;
-    IFTOCDT(attr->va_mode);
-    attr->va_mode |= CDT_REG;
-    
-    attr->va_uid = stat.st_uid;
-    attr->va_gid = stat.st_gid;
-    
-    /* Zero for new creation */
-    attr->va_size = 0;
-    attr->va_blocksize = 0;
-    
-#endif
-}
-
-/* change uid/gid to match credentials given by kernel */
-static void setfscred(union inputArgs *in_buf)
-{
-#if CODA_KERNEL_VERSION > 2
-    DBG1(" (uid=%d)", in_buf->ih.uid);
-
-    setfsuid(in_buf->ih.uid);
-    setfsgid(0);
+int dav_has_permission(struct coda_in_hdr *ih) {
+#ifdef NEW_CODA_STRUCTURES
+    DBG1("id: %i\n", ih->uid);
+    if ((ih->uid != dav_file_stat.st_uid) && (ih->uid != 0))
+        return 0;
 #else
-    DBG2(" (uid=%d,euid=%d,", 
-	 in_buf->ih.cred.cr_uid, in_buf->ih.cred.cr_euid);
-    DBG2(" suid=%d,fsuid=%d) ", 
-	 in_buf->ih.cred.cr_suid, in_buf->ih.cred.cr_fsuid);
- 
-    setfsuid(in_buf->ih.cred.cr_fsuid);
-    setfsgid(in_buf->ih.cred.cr_fsgid);
-#endif /* CODA_FS_OLD_API */
-}
-
-
-/* reset uid/gid */
-static void resetfscred(void)
-{
-    seteuid(0);		
-    setegid(0);
+    DBG1("id: %i\n", ih->cred.cr_uid);
+    if ((ih->cred.cr_uid != dav_file_stat.st_uid) && (ih->cred.cr_uid != 0))
+        return 0;
+#endif /* NEW_CODA_STRUCTURES */
+    return 1;
 }
 
 /* Delete mnt table ans try to umount */
@@ -151,8 +89,6 @@
 {
     DBG1("signal_handler(%d)\n", signo);
   
-    resetfscred();
-
     /* Unount */
     /* Scenario:
        1. mount.davfs
@@ -704,7 +640,7 @@
 
     }
     else
-	st = generic_stat;
+    st = dav_file_stat;
 
     /* Directory */
     if (S_ISDIR(st.st_mode)) {
@@ -780,6 +716,10 @@
     union outputArgs *out_buf;
     int server_nolocks=0;
 
+    if (geteuid() != getuid()) {
+      fprintf(stderr,"You must not run mount.davfs setuid.\n"), exit(1);
+    }
+    
     if (geteuid() != 0) {
       fprintf(stderr,"You must be root to use mount.davfs\n"), exit(1);
     }
@@ -888,7 +828,7 @@
   
     /* Save pid */
     dav_save_mount_pid(mopt.dev);
-
+    
     /* Read message from the CODA device */
     for ( ; ; ) {
 	char *name;
@@ -931,9 +871,6 @@
 	DBG2("got %3.3d byte command: opcode = %2.2ld ", msg,
 		    in_buf->ih.opcode);
 	
-	/* switch to uid/gid of requesting process */
-	setfscred(in_buf);
-
 	out_buf->oh.opcode = in_buf->ih.opcode;
 	out_buf->oh.unique = in_buf->ih.unique;
 	out_buf->oh.result = ENOSYS;
@@ -943,6 +880,10 @@
 	
 	switch (in_buf->ih.opcode) {
 	case CODA_ROOT:
+        if (!dav_has_permission(&in_buf->ih)) {
+            out_buf->oh.result = EPERM;
+            break;
+        }
 	    CMD(root);
 	    DBG0(": ");
 	    alloc_vfid((DAVCodaFid *)&out_buf->coda_root.VFid, "/", 1);
@@ -969,6 +910,10 @@
 	    
 	    /********************* file props & access *******************/
 	case CODA_GETATTR:
+        if (!dav_has_permission(&in_buf->ih)) {
+            out_buf->oh.result = EPERM;
+            break;
+        }
 	    CMD(getattr);
 	    DUMP(getattr);
 	    GET_VFID_name(getattr);
@@ -976,11 +921,15 @@
 		STAT(name);	/* fills in st */
 	    }
 	    else
-		st = generic_stat;
+        st = dav_file_stat;
 	    st2attr(&st, &out_buf->coda_getattr.attr);
 	    break;
 
 	case CODA_SETATTR:
+        if (!dav_has_permission(&in_buf->ih)) {
+            out_buf->oh.result = EPERM;
+            break;
+        }
 	    CMD_NOREP(setattr);
 	    DUMP(setattr);
 	    GET_VFID_name(setattr);
@@ -989,12 +938,17 @@
 	       in_buf->coda_setattr.attr.va_mode,
 	       in_buf->coda_setattr.attr.va_mtime.tv_sec,
 	       in_buf->coda_setattr.attr.va_uid);
-	    if (in_buf->coda_setattr.attr.va_mode != (u_short) - 1)
-		dav_chmod( name, in_buf->coda_setattr.attr.va_mode );
-	    /* cannot change owner, group or dates ....... */
+        if ((in_buf->coda_setattr.attr.va_mode != (u_short) -1)
+                || (in_buf->coda_setattr.attr.va_uid != -1)
+                || (in_buf->coda_setattr.attr.va_gid != -1))
+            out_buf->oh.result = ENOTSUP;
 	    break;
 
 	case CODA_ACCESS:
+        if (!dav_has_permission(&in_buf->ih)) {
+            out_buf->oh.result = EPERM;
+            break;
+        }
 	    /* this always returns TRUE; this seems to be ok with current CODA design */
 	    CMD_NOREP(access);
 	    DUMP(access);
@@ -1003,6 +957,10 @@
 	    break;
 
 	case CODA_LOOKUP:	/* !! ttd: search for existing VFid's instead of making many new ones */
+        if (!dav_has_permission(&in_buf->ih)) {
+            out_buf->oh.result = EPERM;
+            break;
+        }
 	    CMD(lookup);
 	    DUMP_NAME(lookup);
 	    GET_VFID_name(lookup);
@@ -1015,6 +973,10 @@
 	    break;
 
 	case CODA_READLINK:
+        if (!dav_has_permission(&in_buf->ih)) {
+            out_buf->oh.result = EPERM;
+            break;
+        }
 	    CMD(readlink);
 	    DUMP(readlink);
 	    GET_VFID_name(readlink);
@@ -1035,6 +997,10 @@
 
       /************************ open, close, create & mkdir ******************/
 	case CODA_OPEN_BY_FD:
+        if (!dav_has_permission(&in_buf->ih)) {
+            out_buf->oh.result = EPERM;
+            break;
+        }
 	    CMD(open);
 	    DUMP(open);
 	    DBG1("flags:%#x ", in_buf->coda_open.flags);
@@ -1051,6 +1017,10 @@
 	    break;
 
 	case CODA_OPEN:
+        if (!dav_has_permission(&in_buf->ih)) {
+            out_buf->oh.result = EPERM;
+            break;
+        }
 	    CMD(open);
 	    DUMP(open);
 	    DBG1("flags:%#x ", in_buf->coda_open.flags);
@@ -1069,6 +1039,10 @@
 	    break;
 
 	case CODA_OPEN_BY_PATH:
+        if (!dav_has_permission(&in_buf->ih)) {
+            out_buf->oh.result = EPERM;
+            break;
+        }
 	    CMD(open_by_path);
 	    DUMP(open_by_path);
 	    DBG1("flags:%#x ", in_buf->coda_open_by_path.flags);
@@ -1090,6 +1064,10 @@
 	    /*# FIXME : RELEASE */
 	case CODA_RELEASE:
 	case CODA_CLOSE:
+        if (!dav_has_permission(&in_buf->ih)) {
+            out_buf->oh.result = EPERM;
+            break;
+        }
 	    CMD_NOREP(close);
 	    DUMP(close);
 	    GET_VFID_name(close);
@@ -1105,10 +1083,18 @@
 	    
 	    /*# FIXME : What should I do ? */
 	case CODA_FSYNC:
+        if (!dav_has_permission(&in_buf->ih)) {
+            out_buf->oh.result = EPERM;
+            break;
+        }
 	    CMD_NOREP(fsync);
 	    break;
 
 	case CODA_CREATE:
+        if (!dav_has_permission(&in_buf->ih)) {
+            out_buf->oh.result = EPERM;
+            break;
+        }
 	    CMD(create);
 	    DUMP_NAME(create);
 	    GET_VFID_name(create);
@@ -1119,11 +1105,15 @@
 	    v_created(out_buf->coda_create.VFid) = 1;
 
 	    /* get inherient */
-	    out_buf->coda_create.attr = in_buf->coda_create.attr;
-	    set_create_attr(&(out_buf->coda_create.attr));
+        out_buf->coda_create.attr = in_buf->coda_create.attr;
+        st2attr(&dav_file_stat, &(out_buf->coda_create.attr));
 	    break;
 
 	case CODA_MKDIR:
+        if (!dav_has_permission(&in_buf->ih)) {
+            out_buf->oh.result = EPERM;
+            break;
+        }
 	    CMD(mkdir);
 	    DUMP_NAME(mkdir);
 	    GET_VFID_name(mkdir);
@@ -1133,8 +1123,8 @@
 		alloc_vfid((DAVCodaFid *)&out_buf->coda_mkdir.VFid, buf, 1);
 		
 		/* get inherient */
-		out_buf->coda_mkdir.attr = in_buf->coda_mkdir.attr;
-		set_mkdir_attr(&(out_buf->coda_mkdir.attr));
+        out_buf->coda_mkdir.attr = in_buf->coda_mkdir.attr;
+        st2attr(&dav_dir_stat, &(out_buf->coda_mkdir.attr));
 	    }
 	    else
 		out_buf->oh.result = dav_get_errno();
@@ -1142,6 +1132,10 @@
 
       /********************* deletions & rename ******************/
 	case CODA_RMDIR:
+        if (!dav_has_permission(&in_buf->ih)) {
+            out_buf->oh.result = EPERM;
+            break;
+        }
 	    CMD_NOREP(rmdir);
 	    DUMP_NAME(rmdir);
 	    GET_VFID_name(rmdir);
@@ -1155,6 +1149,10 @@
 		out_buf->oh.result = dav_get_errno();
 	    break;
 	case CODA_REMOVE:
+        if (!dav_has_permission(&in_buf->ih)) {
+            out_buf->oh.result = EPERM;
+            break;
+        }
 	    CMD_NOREP(remove);
 	    DUMP_NAME(remove);
 	    GET_VFID_name(remove);
@@ -1168,6 +1166,10 @@
 		out_buf->oh.result = dav_get_errno();
 	    break;
 	case CODA_RENAME:
+        if (!dav_has_permission(&in_buf->ih)) {
+            out_buf->oh.result = EPERM;
+            break;
+        }
 	    CMD_NOREP(rename);
 	    {
 		int is_dir_src;
@@ -1197,11 +1199,19 @@
 	    /* Not implemented, but should return OK */
 	case CODA_STATFS:
 	case CODA_STORE:
+        if (!dav_has_permission(&in_buf->ih)) {
+            out_buf->oh.result = EPERM;
+            break;
+        }
 	    CMD_NOREP(store);
 	    DBG0(" What should I save?");
 	    break;
 
 	default:
+        if (!dav_has_permission(&in_buf->ih)) {
+            out_buf->oh.result = EPERM;
+            break;
+        }
 	    DBG0(" unimplemented coda call");
 	    break;
 	}
@@ -1214,7 +1224,6 @@
 	    close(toclose);
 	fflush(stdout);
 	fflush(stderr);
-	resetfscred();
 	time_last_msg = time(NULL);
     }				/* while */
 }
diff -Naur davfs2-0.2.3.orig/src/mount.c davfs2-0.2.3/src/mount.c
--- davfs2-0.2.3.orig/src/mount.c	2005-06-03 21:03:13.000000000 +0200
+++ davfs2-0.2.3/src/mount.c	2005-06-04 13:48:43.000000000 +0200
@@ -20,6 +20,7 @@
 #include <stdio.h>
 #include <fcntl.h>
 #include <errno.h>
+#include <pwd.h>
 #include <stdlib.h>
 #include <string.h>
 #include <ctype.h>
diff -Naur davfs2-0.2.3.orig/src/util.c davfs2-0.2.3/src/util.c
--- davfs2-0.2.3.orig/src/util.c	2005-06-03 21:03:13.000000000 +0200
+++ davfs2-0.2.3/src/util.c	2005-06-04 13:44:46.000000000 +0200
@@ -261,31 +261,23 @@
     NE_FREE(mopt->option);
 }
 
-/* Static global variable for fstat default */
-static uid_t G_uid; 
-static gid_t G_gid; 
-static mode_t G_mode;
-
-/* Set default uid, gid, and mode */
+/* 2005-06-03, werner, fix permission checking
+   set uid and guid from mounting user, fixed mode
+   dont't allow to change any of this */
+extern struct stat dav_file_stat;
+extern struct stat dav_dir_stat;
 void dav_set_fstat_default(uid_t uid, gid_t gid, mode_t mode) {
-    G_uid = uid;
-    G_gid = gid;
-    G_mode = mode;
-}
-
-/* Get uid, gid, and mode. Still need to set mode is DIR or REG */
-void dav_get_fstat_default(struct stat *stat) {
-
-    /* Not set ?? */
-    if(G_mode==0) {
-	DBG0("Fstat default is not set!");
-	stat->st_mode = DEFAULT_MODE;
-    } else {
-	stat->st_mode = G_mode;
-    }
-
-    stat->st_uid = G_uid;
-    stat->st_gid = G_gid;
+    dav_file_stat.st_uid = uid;
+    dav_file_stat.st_gid = gid;
+    dav_file_stat.st_mode = S_IRUSR | S_IWUSR | S_IFREG;
+    dav_file_stat.st_nlink = 1;
+    dav_file_stat.st_blksize = 1024;
+    dav_dir_stat.st_uid = getuid();
+    dav_dir_stat.st_gid = getgid();
+    dav_dir_stat.st_mode = S_IRWXU | S_IFDIR;
+    dav_dir_stat.st_nlink = 1;
+    dav_dir_stat.st_blksize = 1024;
+    dav_dir_stat.st_size = 512;
 }
 
 /* dav_kill_prev_mount */
diff -Naur davfs2-0.2.3.orig/src/util.h davfs2-0.2.3/src/util.h
--- davfs2-0.2.3.orig/src/util.h	2005-06-03 21:03:13.000000000 +0200
+++ davfs2-0.2.3/src/util.h	2005-06-04 13:44:51.000000000 +0200
@@ -91,9 +91,6 @@
 /* Set default uid, gid, and mode */
 void dav_set_fstat_default(uid_t uid, gid_t gid, mode_t mode);
 
-/* Get uid, gid, and mode. Still need to set mode is DIR or REG */
-void dav_get_fstat_default(struct stat *stat);
-
 /* Save pid */
 int dav_save_mount_pid(const char *dev);
 
diff -Naur davfs2-0.2.3.orig/src/webdav.c davfs2-0.2.3/src/webdav.c
--- davfs2-0.2.3.orig/src/webdav.c	2005-06-03 21:03:13.000000000 +0200
+++ davfs2-0.2.3/src/webdav.c	2005-06-03 22:39:20.000000000 +0200
@@ -40,6 +40,8 @@
 #include "util.h"
 
 /* Global variables */
+extern struct stat dav_file_stat;
+extern struct stat dav_dir_stat;
 static ne_session *session;
 static char *proxy_hostname;
 static int proxy_port;
@@ -418,20 +420,11 @@
     
     data = ne_propset_value(set, &stat_props[1]);
     
-    /* 
-     *  Get default value 
-     *  gid, gid, and mode
-     */
-    dav_get_fstat_default(&(result->f_st));
-    
     if (data && strstr(data, "collection")) {
-	/* Directory should have X permission */
-	result->f_st.st_mode |= S_IFDIR;
-	result->f_st.st_mode |= S_IXUSR;
-	result->f_st.st_size = 512;
+        result->f_st = dav_dir_stat;
     }
     else {
-	result->f_st.st_mode |= S_IFREG;
+        result->f_st = dav_file_stat;
     }
 
     /* FIXME : Do we need to return . and .. ?? */
@@ -476,8 +469,9 @@
 	
 	/* executable */
 	data = ne_propset_value(set, &stat_props[4]);
-	if( data ) 
-	    result->f_st.st_mode |= S_IXUSR | S_IXGRP | S_IXOTH;
+    /* 2005-06-03, werner, dont't allow execute */
+	/*if( data ) 
+	    result->f_st.st_mode |= S_IXUSR | S_IXGRP | S_IXOTH;*/
 	
 	result->f_st.st_blksize = DAVFS_BLKSIZE;
 	result->f_st.st_blocks = 
@@ -780,11 +774,6 @@
 
 }
 
-/* FIXME: How can we change mode? */
-int dav_chmod(const char *name, unsigned short mode) {
-    return 0;
-}
-
 /* start emacs stuff */
 /* 
  * local variables: 

Message #63 received at 310757@bugs.debian.org (full text, mbox, reply):

From: Martin Pitt <mpitt@debian.org>

To: 310757@bugs.debian.org

Subject: This is CAN-2005-1774

Date: Fri, 1 Jul 2005 17:37:51 +0200

[Message part 1 (text/plain, inline)]

Hi!

This vulnerability has been assigned CAN-2005-1774, please mention
that in the changelog.

Thanks!

Martin
-- 
Martin Pitt        http://www.piware.de
Ubuntu Developer   http://www.ubuntu.com
Debian Developer   http://www.debian.org

[signature.asc (application/pgp-signature, inline)]

Message #68 received at 310757-close@bugs.debian.org (full text, mbox, reply):

From: Luciano Bello <luciano@linux.org.ar>

To: 310757-close@bugs.debian.org

Subject: Bug#310757: fixed in davfs2 0.2.4-1

Date: Thu, 08 Sep 2005 11:32:06 -0700

Source: davfs2
Source-Version: 0.2.4-1

We believe that the bug you reported is fixed in the latest version of
davfs2, which is due to be installed in the Debian FTP archive:

davfs2_0.2.4-1.diff.gz
  to pool/main/d/davfs2/davfs2_0.2.4-1.diff.gz
davfs2_0.2.4-1.dsc
  to pool/main/d/davfs2/davfs2_0.2.4-1.dsc
davfs2_0.2.4-1_i386.deb
  to pool/main/d/davfs2/davfs2_0.2.4-1_i386.deb
davfs2_0.2.4.orig.tar.gz
  to pool/main/d/davfs2/davfs2_0.2.4.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 310757@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Luciano Bello <luciano@linux.org.ar> (supplier of updated davfs2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon,  1 Aug 2005 21:41:35 -0300
Source: davfs2
Binary: davfs2
Architecture: source i386
Version: 0.2.4-1
Distribution: unstable
Urgency: high
Maintainer: Luciano Bello <luciano@linux.org.ar>
Changed-By: Luciano Bello <luciano@linux.org.ar>
Description: 
 davfs2     - mount a WebDAV resource as a regular file system
Closes: 303533 310757 311286
Changes: 
 davfs2 (0.2.4-1) unstable; urgency=high
 .
   * New upstream version 0.2.4.
     - Solve CAN-2005-1774 .Permit users to mount their owns resources,
       considering the right permissions (closes: Bug#310757).
     - Configuration is allocated in a config file.
     - Support for SSL certificates.
   * The source doesn't unnecessary build libraries any more.
   * Support for URLs with spaces are included now (closes: Bug#311286).
   * Support for kernels 2.4 and 2.6 through a script wrapper
     (closes: Bug#303533).
Files: 
 a8d9bc7e674e40c1648420e3a38b0d0a 639 utils extra davfs2_0.2.4-1.dsc
 f8f76634ddd7a26f0f277f86262887b6 141438 utils extra davfs2_0.2.4.orig.tar.gz
 888cda19333b2a97f7f4569762fd417e 31024 utils extra davfs2_0.2.4-1.diff.gz
 70cf1a0ccc14e7f809b77b898638545b 53652 utils extra davfs2_0.2.4-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDIH+25UTeB5t8Mo0RAnrHAJ0dw1H5Wwh5jyvm5iVcjT6XCRU2UgCbBliu
sBuymPE9xRNzop0VJtUWeKk=
=ryd5
-----END PGP SIGNATURE-----

Message #69 received at 310757-done@bugs.debian.org (full text, mbox, reply):

From: Luciano Bello <luciano@linux.org.ar>

To: 310757-done@bugs.debian.org

Subject: Has been fixed for ages, but I forgot to close.

Date: Tue, 04 Oct 2005 17:04:06 -0300

[Message part 1 (text/plain, inline)]

Has been fixed for ages, but I forgot to close.

-- 
Luciano Bello <luciano@linux.org.ar>
Linux Argentina

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.