lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Sat, 08 Aug 2009 05:53:04 +0900
From:	OGAWA Hirofumi <hirofumi@...l.parknet.co.jp>
To:	Eric Paris <eparis@...hat.com>
Cc:	Amerigo Wang <amwang@...hat.com>, linux-kernel@...r.kernel.org,
	esandeen@...hat.com, eteo@...hat.com,
	linux-fsdevel@...r.kernel.org, akpm@...ux-foundation.org,
	viro@...iv.linux.org.uk, sds@...ho.nsa.gov,
	linux-security-module@...r.kernel.org
Subject: Re: [Patch v3] vfs: allow file truncations when both suid and write permissions set

Eric Paris <eparis@...hat.com> writes:

>> > I was thinking about this and kept telling myself I was going to test v2
>> > before I ack/nak.  Clearly we shouldn't for the dropping of SUID if the
>> > process didn't have permission to change the ATTR_SIZE.
>> >
>> > Acked-by: Eric Paris <eparis@...hat.com>
>> 
>> BTW, Do you know why doesn't security modules fix the handling of
>> do_truncate() (i.e. ATTR_MODE | ATTR_SIZE). And why doesn't it allow to
>> pass ATTR_FORCE for it?
>
> I'm not sure what you mean.  I understood ATTR_FORCE to mean 'I am magic
> and get to override all security checks."  Which is why nothing should
> ever be using ATTR_FORCE with things other than SUID.
>
> I guess we could somehow force logic into the LSM to make it only apply
> to SUID and friends but I'm not sure it buys us anything.

Yes, I think it's good way. Don't we want to do the following?

	if (permission check of job)
		return error;
	if (do job at once)
        	return error;

But currently way is,

	if (permission check of first part)
        	return error
	if (do first part of job)
        	return error
	if (permission check of second part)
        	return error
	if (do second part of job)
        	return error

So, if second part was error, we may want to undo the job of first part
in theory. But, to undo is just hard and strange.

This is why I think ATTR_FORCE is good way. What do you think?

Thanks.
-- 
OGAWA Hirofumi <hirofumi@...l.parknet.co.jp>
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ