Fix up non-directory creation in SGID directories (CVE-2018-13405, bsc#1100416).

suse-commit: d1314725964bd66928b1d181f018059387f118fe
author: Goldwyn Rodrigues <rgoldwyn@suse.com> 2018-07-06 12:50:12 -0500
committer: Goldwyn Rodrigues <rgoldwyn@suse.com> 2018-07-06 12:50:12 -0500
commit: 1ab36524fad90cbb3552141a5b15d728511cad51 (patch)
tree: 7aa18da61a328c7a53fbd89b5358330f367dccce
parent: 3d14f8399d6227106b1cce8972e43fd34908e830 (diff)
1 files changed, 6 insertions, 0 deletions
diff --git a/fs/inode.c b/fs/inode.c
index 1599c9e3d39c..94bdfe68bf4e 100644
--- a/fs/inode.c
+++ b/fs/inode.c
@@ -1943,8 +1943,14 @@ void inode_init_owner(struct inode *inode, const struct inode *dir,
 	inode->i_uid = current_fsuid();
 	if (dir && dir->i_mode & S_ISGID) {
 		inode->i_gid = dir->i_gid;
+
+		/* Directories are special, and always inherit S_ISGID */
 		if (S_ISDIR(mode))
 			mode |= S_ISGID;
+		else if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP) &&
+			 !in_group_p(inode->i_gid) &&
+			 !capable_wrt_inode_uidgid(dir, CAP_FSETID))
+			mode &= ~S_ISGID;
 	} else
 		inode->i_gid = current_fsgid();
 	inode->i_mode = mode;
author	Goldwyn Rodrigues <rgoldwyn@suse.com>	2018-07-06 12:50:12 -0500
committer	Goldwyn Rodrigues <rgoldwyn@suse.com>	2018-07-06 12:50:12 -0500
commit	1ab36524fad90cbb3552141a5b15d728511cad51 (patch)
tree	7aa18da61a328c7a53fbd89b5358330f367dccce
parent	3d14f8399d6227106b1cce8972e43fd34908e830 (diff)