From: Matthias Gerstner <matthias.gerstner@suse.de> Date: Wed, 27 Dec 2023 14:01:59 +0100 Subject: pam_namespace: protect_dir(): use O_DIRECTORY to prevent local DoS situations Origin: https://github.com/linux-pam/linux-pam/commit/031bb5a5d0d950253b68138b498dc93be69a64cb Bug-Debian: https://bugs.debian.org/1061097 Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-22365

Without O_DIRECTORY the path crawling logic is subject to e.g. FIFOs
being placed in user controlled directories, causing the PAM module to
block indefinitely during `openat()`.

Pass O_DIRECTORY to cause the `openat()` to fail if the path does not
refer to a directory.

With this the check whether the final path element is a directory
becomes unnecessary, drop it.

Gbp-Pq: Name pam_namespace_o_directory

1 files changed, 1 insertions, 17 deletions

diff --git a/modules/pam_namespace/pam_namespace.c b/modules/pam_namespace/pam_namespace.c
index f34ce934..ef856443 100644
--- a/modules/pam_namespace/pam_namespace.c
+++ b/modules/pam_namespace/pam_namespace.c
@@ -1194,7 +1194,7 @@ static int protect_dir(const char *path, mode_t mode, int do_mkdir,
 	int dfd = AT_FDCWD;
 	int dfd_next;
 	int save_errno;
-	int flags = O_RDONLY;
+	int flags = O_RDONLY | O_DIRECTORY;
 	int rv = -1;
 	struct stat st;
 
@@ -1248,22 +1248,6 @@ static int protect_dir(const char *path, mode_t mode, int do_mkdir,
 		rv = openat(dfd, dir, flags);
 	}
 
-	if (rv != -1) {
-		if (fstat(rv, &st) != 0) {
-			save_errno = errno;
-			close(rv);
-			rv = -1;
-			errno = save_errno;
-			goto error;
-		}
-		if (!S_ISDIR(st.st_mode)) {
-			close(rv);
-			errno = ENOTDIR;
-			rv = -1;
-			goto error;
-		}
-	}
-
 	if (flags & O_NOFOLLOW) {
 		/* we are inside user-owned dir - protect */
 		if (protect_mount(rv, p, idata) == -1) {