lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20080212154749.de96c277.akpm@linux-foundation.org>
Date:	Tue, 12 Feb 2008 15:47:49 -0800
From:	Andrew Morton <akpm@...ux-foundation.org>
To:	David Howells <dhowells@...hat.com>
Cc:	torvalds@...ux-foundation.org, linux-kernel@...r.kernel.org,
	dhowells@...hat.com
Subject: Re: [PATCH 2/4] KEYS: Check starting keyring as part of search

On Fri, 08 Feb 2008 16:04:29 +0000
David Howells <dhowells@...hat.com> wrote:

> Check the starting keyring as part of the search to (a) see if that is what
> we're searching for, and (b) to check it is still valid for searching.
> 
> The scenario:  User in process A does things that cause things to be
> created in its process session keyring.  The user then does an su to
> another user and starts a new process, B.  The two processes now
> share the same process session keyring.
> 
> Process B does an NFS access which results in an upcall to gssd.
> When gssd attempts to instantiate the context key (to be linked
> into the process session keyring), it is denied access even though it
> has an authorization key.
> 
> The order of calls is:
> 
>    keyctl_instantiate_key()
>       lookup_user_key()				    (the default: case)
>          search_process_keyrings(current)
> 	    search_process_keyrings(rka->context)   (recursive call)
> 	       keyring_search_aux()
> 
> keyring_search_aux() verifies the keys and keyrings underneath the
> top-level keyring it is given, but that top-level keyring is neither
> fully validated nor checked to see if it is the thing being searched for.
> 
> This patch changes keyring_search_aux() to:
> 1) do more validation on the top keyring it is given and
> 2) check whether that top-level keyring is the thing being searched for
> 
> ...
>
> +	    (keyring->expiry && now.tv_sec >= keyring->expiry))

time_after()?
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ