| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 7 Dec 2009 17:16:38 +0000 From: Alan Cox <alan@...rguk.ukuu.org.uk> To: Andrew Lutomirski <luto@....edu> Cc: Miklos Szeredi <miklos@...redi.hu>, akpm@...ux-foundation.org, linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org Subject: Re: [PATCH v3] vfs: new O_NODE open flag > > while(1) > > fchmod(fd, 0666); > > > > wait for device to unload, reload and be intended for another user > > Race udev to a real open. You have a similar problem with vhangup() and > > ttys. > > Huh? I would've thought that udev would (and already does?), on > device unload, chown to 0:0, then chmod to 0000, then unlink, in which > case that attack doesn't work. udev doesn't control the device unload/reload. It responds to messages from the kernel which are to some extent asynchronous to actual events. It may be ok if udev is very careful but the fact it requires a close inspection of the kernel and user space sides doesn't bode well (with or without O_NODE). The fact we currently have an implied revoke by the device refcounts is a big helper at the moment. The tty cases using vhangup() assume that the handle is killed and would also need addressing. > Would you be okay with a patch that prevented opening > /proc/self/fd/xxx on O_NODE handles? I personally don't care about I'd like to see what Al Viro has to say on the subject first. The /proc/self stuff bothers me less - I've not seen a convincing description of it being misuable where ptrace wouldn't allow the same actions. Even the constructed scenarios share that property. > O_NODE all that much, but I'd like a decent in-kernel AFS > implementation (and a decent revoke() implementation, and especially > the ability to revoke whole filesystems would be really nice too). The AFS case is probably the easier one - its things like device files where one handle can change completely what it references (due to device loads/unloads and dynamic major/minor assignment) that make it evil. CIFS/SMB is horrible for different reasons (a handle open on some piece of namespace isn't going to always been the same actual file) but you could simply decide CIFS/SMB and any other problematic cases don't support it. I don't really have a problem with it providing its restricted to ordinary files on a file system where having a local inode reference means you have a stable reference to an object on the remote system or the local media. The way to start this is firstly to convince Al Viro (always a good sanity check), and then to start with the obviously safe cases only - regular files, only file systems with stable inode references. Devices are hard - why do we need O_NODE on devices anyway ? -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists