linux-kernel March 2009 archive
Main Archive Page > Month Archives  > linux-kernel archives
linux-kernel: Re: Ответ: VFS, NFS security bug? Should CAP_

Re: Ответ: VFS, NFS security bug? Should CAP_MKNOD and CAP_LINUX_IMMUTABLE be added to CAP_FS_MASK?

From: J. Bruce Fields <bfields_at_nospam>
Date: Mon Mar 16 2009 - 22:48:48 GMT
To: "Serge E. Hallyn" <>

Seems this isn't entirely obvious in the general case. In the specific case of nfsd, however, this is pretty obvious. So I'm inclined to submit the following now (and leave it to be reverted by a later patch if CAP_FS_MASK ends up including CAP_MKNOD, as seems likely).


commit 2ec8f8f0c0005ffe3cf93bbf3d9976de76cf4652 Author: J. Bruce Fields <> Date: Mon Mar 16 18:34:20 2009 -0400

    nfsd: nfsd should drop CAP_MKNOD for non-root     

    Since creating a device node is normally an operation requiring special     privilege, Igor Zhbanov points out that it is surprising (to say the     least) that a client can, for example, create a device node on a     filesystem exported with root_squash.     

    So, make sure CAP_MKNOD is among the capabilities dropped when an nfsd     thread handles a request from a non-root user.     

    Reported-by: Igor Zhbanov <>     Signed-off-by: J. Bruce Fields <>

diff --git a/include/linux/capability.h b/include/linux/capability.h index 02bdb76..7824483 100644
--- a/include/linux/capability.h
+++ b/include/linux/capability.h @@ -393,8 +393,10 @@ struct cpu_vfs_cap_data {
# define CAP_FULL_SET ((kernel_cap_t){{ ~0, ~0 }})
# define CAP_INIT_EFF_SET ((kernel_cap_t){{ ~CAP_TO_MASK(CAP_SETPCAP), ~0 }})
# define CAP_FS_SET ((kernel_cap_t){{ CAP_FS_MASK_B0, CAP_FS_MASK_B1 } })
-# define CAP_NFSD_SET ((kernel_cap_t){{ CAP_FS_MASK_B0|CAP_TO_MASK(CAP_SYS_RESOURCE), \ - CAP_FS_MASK_B1 } }) +# define CAP_NFSD_SET ((kernel_cap_t){{ CAP_FS_MASK_B0 \ + | CAP_TO_MASK(CAP_SYS_RESOURCE) \ + | CAP_TO_MASK(CAP_MKNOD), \ + CAP_FS_MASK_B1 } })

 #endif /* _KERNEL_CAPABILITY_U32S != 2 */   -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to More majordomo info at