lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20091105145054.11f36b35@lxorguk.ukuu.org.uk>
Date:	Thu, 5 Nov 2009 14:50:54 +0000
From:	Alan Cox <alan@...rguk.ukuu.org.uk>
To:	Miklos Szeredi <miklos@...redi.hu>
Cc:	miklos@...redi.hu, akpm@...ux-foundation.org,
	viro@...IV.linux.org.uk, dhowells@...hat.com, hch@...radead.org,
	adilger@....com, mtk.manpages@...il.com,
	torvalds@...ux-foundation.org, drepper@...il.com,
	jamie@...reable.org, linux-fsdevel@...r.kernel.org,
	linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2 resend] vfs: new O_NODE open flag

On Thu, 05 Nov 2009 15:27:06 +0100
Miklos Szeredi <miklos@...redi.hu> wrote:

> On Thu, 5 Nov 2009, Alan Cox wrote:
> > >  - re-opening normally after checking file type (there's a debate
> > >    whether this would have security issues, but currently we do allow
> > >    re-opening with increased permissions thorugh /proc/*/fd)
> > 
> > Which has already been demonstrated to be an (unfixed) security hole.
> 
> No it hasn't :)  Jamie theorized that there *might* be a real world
> situation where the application writer didn't anticipate this
> behavior.  But as to actual demonstration, we have not seen one yet, I
> think.

The examples on the list are not entirely theoretical but based on
accepted and normal behaviour for application programming and Unix
security models -so they are a security bug, minor or otherwise.

Fortunately you can patch it by hand.

> And as for reopening O_NODE files with increased permission: that's
> feature people actually expressed interest in, so it's hardly a
> security hole, is it?

Its a very unexpected semantic particularly for a passed file handle.

> > Wrong way around. The defailt should be that O_NODE fails for any handle
> > which has not specifically added support.
> 
> Why?  O_NODE can be nicely implemented without any filesystem support.

So that you audit the behaviour for unexpected surprises as you go. And
in most filesystem cases that consists of "dum de dum, nothing to see,
add default handler, tick".

But that isn't the case for some things - consider CIFS and other network
file systems.

> The only filesystems that need to do anything special is things like
> AFS which for example want to implement special ioctls, which work on
> the node itself.
> 
> > You also need to address the open with no permissions pinning a removable
> > device question.
> 
> The whole point of O_NODE is that it doesn't do that, it only goes as
> far as the mnt/dentry for the filesystem node and not further.  It
> does not get to touch the device at all, so it can't pin it or have
> any other side effect.

You have a reference to the mnt/dentry pinned so how will you unmount the
volume ?

Alan
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ