| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 9 Jan 2008 12:33:25 +0100 From: Pavel Machek <pavel@....cz> To: Miklos Szeredi <miklos@...redi.hu> Cc: akpm@...ux-foundation.org, hch@...radead.org, serue@...ibm.com, viro@....linux.org.uk, ebiederm@...ssion.com, kzak@...hat.com, linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org, containers@...ts.osdl.org, util-linux-ng@...r.kernel.org Subject: Re: [patch 7/9] unprivileged mounts: allow unprivileged fuse mounts Hi! > > > AFAIR there were two security vulnerabilities in fuse's history, one > > > of them an information leak in the kernel module, and the other one an > > > mtab corruption issue in the fusermount utility. I don't think this > > > is such a bad track record. > > > > Not bad indeed. But I'd consider 'kill -9 not working' to be DoS > > vulnerability... > > The worst that can happen is that a sysadmin doesn't read the docs > (likely) before enabling fuse on a multiuser system, and is surprised > by a user doing funny things. And _then_ has to go read the docs, or > google for some info. This is basically how things normally work, and > I don't consider it a DoS. No, this is not normal. Kill -9 has been estabilished long time ago, and we should not be documenting its now-brokenness in Documentation/filesystems/fuse.txt . For example, my /etc/inittab currently has: kb::kbrequest:/etc/rc/rc.reboot 2 0 # # This file handles system shutdown and reboot. # PATH=/sbin:/bin:/usr/sbin:/usr/bin sync & # Kill all processes. wall System is going down NOW\! echo -n -e "\rSystem is going down: processes." killall5 -15 echo -n "." sleep 1 echo -n ". " killall5 -9 # Before unmounting file systems write a reboot record to wtmp. echo -n "wtmp " halt -w # Swap needs to be unmounted because otherwise busy filesystems remain. echo -n "swap " swapoff -a swapoff /c/swap swapoff /c/swap2 # Unmount file systems echo -n "umount." umount -a || ( sync & echo -n "umount-retry." sleep 1 umount -a || sulogin ) echo -n ". " mount -n -o remount,ro / # Now halt or reboot. if [ "$2" = "0" ] ; then swapoff -a echo "halted." halt -p -f else echo "rebooting..." reboot -d -f fi ...this will break with FUSE enabled, right? (Minor security hole by allowing users to stop c-a-delete, where none existed before?) I'm currently suspending by 'echo "mem" > /sys/power/state'. How should I do that _safely_ with FUSE enabled? If I want to get rid of nasty user in multiuser system, I do su nastyuser 'kill -9 -1' . How do I do the equivalent with FUSE enabled? (Without affecting other users?) Load average was never really meaningful number, but with FUSE enabled, users can set it to 666 without actually eating any CPU. SIGSTOP used to work, allowing you to prevent user processes from working while you examine them. Now SIGSTOP can be delayed for arbitrary time. Heck, imagine malicious user process misbehaves. Before FUSE, you could at least attach it with gdb to look what it is doing. Now you can't. I really believe FUSE vs. signals needs fixing. Either that, or updating all the manpages man 1 kill: - KILL 9 exit this signal may not be blocked + KILL 9 exit this signal may not be blocked, except by FUSE user mount Pavel -- (english) http://www.livejournal.com/~pavelmachek (cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists