| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 04 Nov 2008 14:42:50 -0700 From: Andreas Dilger <adilger@....com> To: Akira Fujita <a-fujita@...jp.nec.com> Cc: linux-ext4@...r.kernel.org, Theodore Tso <tytso@....edu>, Mingming Cao <cmm@...ibm.com>, hch@...radead.org Subject: Re: [RFC][PATCH 7/9]ext4: Add the EXT4_IOC_FIEMAP_INO ioctl On Oct 31, 2008 18:46 +0900, Akira Fujita wrote: >> Why does a regular user need to do the ioctl on a file that it may not >> have read permission to access? I can see this is useful for root >> doing a defrag of the whole filesystem instead of opening and closing >> all of the files, but for regular users we need to validate via the >> full path to ensure they can even access the file before defragmenting it. > > The FIEMAP_INO ioctl just passes a inode number belongs to > the target block group from user space to kernel space > and then the owner check is done in the kernel space. > > If the regular user (defrag -f excecutant) is owner of a file, > defrag handles this file as the candidate of victim file which would > be moved to the other block group to make free space. > > So I think the full path check is unneeded because the owner check > is done in the kernel space (I'm not sure it's good enough). > If it's not good in the security point of view, > I will make defrag -f mode be done only by root user. If the defrag operation is limited to the owner of the file (or root via CAP_DAC_OVERRIDE) then this is probably OK also. The data never gets to userspace so there is relatively little risk to this operation. >>>> This was mentioned last time these patches were posted, but there was >>>> no reply from you. Christoph suggested a more generic VFS open-by-inum, >>>> which isn't impossible to do but would cause a lot of controversy I >>>> think, while the EXT4_IOC_WRAPPER is at least contained within ext4, >>>> but is more generically useful than EXT4_IOC_FIEMAP_INO. > > How do the other ext4 developers think about > implementing EXT4_IOC_WRAPPER? > Will it be used only for defrag so far? I expect the initial users of this ioctl will be FIEMAP and DEFRAG, but it might also be useful for other ioctls in the future. I haven't really asked other ext4 developers about it yet, and nobody else has commented the last time I posted the patch. I don't have an objection to Christoph's open-by-FH API, if there is acceptance of this from other kernel developers (Al Viro in particular), but that exposes a lot more security issues than just the ioctl wrapper. Cheers, Andreas -- Andreas Dilger Sr. Staff Engineer, Lustre Group Sun Microsystems of Canada, Inc. -- To unsubscribe from this list: send the line "unsubscribe linux-ext4" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists