| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 24 Feb 2011 16:22:14 -0800 From: Kees Cook <kees.cook@...onical.com> To: Greg KH <gregkh@...e.de> Cc: Alan Cox <alan@...rguk.ukuu.org.uk>, David Daney <ddaney@...iumnetworks.com>, linux-kernel@...r.kernel.org, Eugene Teo <eugeneteo@...nel.sg>, Ralph Campbell <infinipath@...gic.com>, Roland Dreier <roland@...nel.org>, Sean Hefty <sean.hefty@...el.com>, Hal Rosenstock <hal.rosenstock@...il.com>, Jeremy Fitzhardinge <jeremy.fitzhardinge@...rix.com>, Konrad Rzeszutek Wilk <konrad.wilk@...cle.com>, Alexander Viro <viro@...iv.linux.org.uk>, Miklos Szeredi <miklos@...redi.hu>, "J. Bruce Fields" <bfields@...ldses.org>, Neil Brown <neilb@...e.de>, Matthew Wilcox <matthew@....cx>, James Morris <jmorris@...ei.org>, Stephen Smalley <sds@...ho.nsa.gov>, Eric Paris <eparis@...isplace.org>, Nick Piggin <npiggin@...nel.dk>, Arnd Bergmann <arnd@...db.de>, Ian Campbell <ian.campbell@...rix.com>, Jarkko Sakkinen <ext-jarkko.2.sakkinen@...ia.com>, Tejun Heo <tj@...nel.org>, Casey Schaufler <casey@...aufler-ca.com> Subject: Re: [PATCH 2/2] debugfs: only allow root access to debugging interfaces Hi Greg, On Tue, Feb 22, 2011 at 12:54:13PM -0800, Kees Cook wrote: > On Tue, Feb 22, 2011 at 12:37:04PM -0800, Greg KH wrote: > > On Tue, Feb 22, 2011 at 12:28:56PM -0800, Kees Cook wrote: > > > On Tue, Feb 22, 2011 at 12:16:10PM -0800, Greg KH wrote: > > > > On Tue, Feb 22, 2011 at 11:50:18AM -0800, Kees Cook wrote: > > > > > On Tue, Feb 22, 2011 at 07:34:18PM +0000, Alan Cox wrote: > > > > > > > What system do you proposed to keep these "stupid mistakes" from > > > > > > > continuing to happen? If debugfs had already been mode 0700, we could have > > > > > > > avoided all of these CVEs, including the full-blown local root escalation. > > > > > > > > > > > > And all sorts of features would have put themselves in sysfs instead and > > > > > > broken no doubt. > > > > > > > > > > > > > The "no rules" approach to debugfs is not a good idea, IMO. > > > > > > > > > > > > It's a debugging fs, it needs to be "no rules" other than the obvious > > > > > > "don't mount it on production systems" > > > > > > > > > > Okay, so the debugfs is not supposed to be mounted on a production system. > > > > > > > > No, not true at all, the "enterprise" distros all mount debugfs for good > > > > reason on their systems. > > > > > > What reasons are those? Or better yet, why do you and Alan Cox disagree on > > > this point? > > > > These distros have made the decision to support the perf interface, > > which lives in debugfs, for their customers. I'm not saying that I > > disagree with Alan about this, just pointing out the reality of the > > situation here. > > A tool used only by the root user, so the proposed mount mode of 0700 > wouldn't break anything. The summary is this: - debugfs has been demonstrably dangerous to have available - Alan Cox says that debugfs should not be used on production systems - Greg KH does not disagree - however, pref needs it, and this is used by some root users - perf will likely move out of debugfs as some point What is the objection, then, to making the root of debugfs mode 0600? All the tools I reviewed that need it run as root (e.g. powertop). I've already written, tested, and sent the patches -- they would not break the requirements above. -Kees -- Kees Cook Ubuntu Security Team -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists