lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20081108172752.GA7314@ioremap.net>
Date:	Sat, 8 Nov 2008 20:27:52 +0300
From:	Evgeniy Polyakov <zbr@...emap.net>
To:	Robert Love <rlove@...ve.org>
Cc:	mtk.manpages@...il.com, linux-kernel@...r.kernel.org,
	linux-api@...r.kernel.org, John McCutchan <ttb@...tacle.dhs.org>
Subject: Re: [1/1] Use pid in inotify events.

Hi.

On Sat, Nov 08, 2008 at 12:04:40PM -0500, Robert Love (rlove@...ve.org) wrote:
> The reason John & I did not add a pid field -- and we discussed it and
> really wanted it -- is security. It is an information leak to know
> what an unrelated process is doing.

Really? And receiving notifications about hidden root-only
modified files is ok in this case? :)
Fortunately /proc file creation is not broadcasted via inotify.

I'm talking about following example:

libionotify-1.0$ LD_PRELOAD=./libionotify.so ./inotify -r /tmp
2008-11-08 20:08:19.412222 2478 CREATE: /tmp/test_dir
2008-11-08 20:08:45.725481 2478 CREATE: /tmp/test_dir/test
Failed to add notification for '/tmp/test_dir/test': Permission denied [13].
2008-11-08 20:11:11.424793 2478 CREATE: /tmp/test_dir/another_test
Failed to add notification for '/tmp/test_dir/another_test': Permission denied [13].
2008-11-08 20:11:11.426266 2478 WRITE : /tmp/test_dir/another_test

while in parallel I do:
$ sudo mkdir /tmp/test_dir
$ sudo chown 0.0 /tmp/test_dir
$ sudo chmod 700 /tmp/test_dir
$ sudo touch /tmp/test_dir/test
$ sudo dd if=/dev/zero of=/tmp/test_dir/another_test bs=4k count=1

Permission denied is returned when program tries to add a watch to that objects.

Btw, this means that inotify does not break when permissions are changed
for given object, particulary when read/exec is dropped. This may be a
security problem, since directory listing is forbidden in this case:

$ sudo mkdir /tmp/2
$ cd /tmp/2/
$ sudo chmod 700 .
$ sudo mkdir /tmp/2/test
$ ls
ls: cannot open directory .: Permission denied

Inotify sucessfully prints all created objects...

So, let's not talk about security with PIDs.

> Trust me that the rest of the kernel developers are even harder on
> this subject than I.
> 
> I suppose you could fill out the pid field only if the uid's match,
> but that is extra work for less utility.

Well... Although I could not call this 'security', but yes, it can be
done for root and when uids match. This will solve my particular problem
where server with multiple threads should differentiate between own
writes and local writes from other processes.

-- 
	Evgeniy Polyakov
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ