lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sun, 25 Aug 2013 10:04:16 -0700 From: Andy Lutomirski <luto@...capital.net> To: Al Viro <viro@...iv.linux.org.uk> Cc: Linus Torvalds <torvalds@...ux-foundation.org>, Willy Tarreau <w@....eu>, "security@...nel.org" <security@...nel.org>, Ingo Molnar <mingo@...nel.org>, Linux Kernel Mailing List <linux-kernel@...r.kernel.org>, Oleg Nesterov <oleg@...hat.com>, Linux FS Devel <linux-fsdevel@...r.kernel.org>, Brad Spengler <spender@...ecurity.net> Subject: Re: [PATCH v2] vfs: Tighten up linkat(..., AT_EMPTY_PATH) On Sun, Aug 25, 2013 at 7:23 AM, Al Viro <viro@...iv.linux.org.uk> wrote: > On Sun, Aug 25, 2013 at 12:26:34AM -0700, Andy Lutomirski wrote: > >> I think this is more screwed up than just flink and open. For example: >> >> $ echo 'WTF' >test >> $ truncate -s 1 /proc/self/fd/3 3<test >> $ cat test >> W$ >> >> IMO that should have failed. > > Why? truncate() always follows links, so what's the problem with that > one? That you get checks of truncate() and not ftruncate()? The same as the issue with all these other things: the fd might have survived a privilege drop or been passed through exec or SCM_RIGHTS, and the holder of the fd might not be able to see the inode. For example, suppose a daemon creates a file with O_TMPFILE | O_RDWR. Then it does open("/proc/self/fd/N", O_RDONLY) to get a read-only fd for the same temporary file. It passes that fd to something else. It's rather surprising that the recipient would be able to truncate it using /proc/self/fd when it couldn't ftruncate it due to its being O_RDONLY. (Of course, this can be worked around by setting the mode to 0644, but I doubt that everyone will get that right.) > >> In an ideal world (I think) ffrob(N), frobat(N, "", AT_EMPTY_PATH), >> and frobat(AT_FDCWD, "/proc/self/fd/N) should generally do the same >> thing. > > What about the cases where frob() and ffrob() check for different things? I'll go out on a limb and say that every single case where ffrob has a check that frob("/proc/self/fd/N") doesn't is wrong. Maybe we're stuck with them for backwards compatibility, but that doesn't mean they're good ideas. --Andy -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists