lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1300132195.2194.6.camel@dan>
Date:	Mon, 14 Mar 2011 15:49:55 -0400
From:	Dan Rosenberg <drosenberg@...curity.com>
To:	Richard Weinberger <richard@....at>
Cc:	akpm@...ux-foundation.org, mingo@...e.hu, davem@...emloft.net,
	dzickus@...hat.com, randy.dunlap@...cle.com,
	linux-kernel@...r.kernel.org
Subject: Re: [PATCH] Restrict write access to dmesg_restrict

On Mon, 2011-03-14 at 20:35 +0100, Richard Weinberger wrote:
> When dmesg_restrict is set to 1 CAP_SYS_ADMIN is needed
> to read the kernel ring buffer.
> But a root user without CAP_SYS_ADMIN is able to reset
> dmesg_restrict to 0.

A minor correction, CAP_SYSLOG is needed to read the kernel syslog.  But
I think requiring CAP_SYS_ADMIN is appropriate to modify the value of
the sysctl, so assuming the commit message reflects this:

Acked-by: Dan Rosenberg <drosenberg@...curity.com>

> 
> This is an issue when e.g. LXC (Linux Containers) are used
> and complete user space is running without CAP_SYS_ADMIN.
> A unprivileged and jailed root user can bypass the
> dmesg_restrict protection.
> 
> With this patch writing to dmesg_restrict is only allowed
> when root has CAP_SYS_ADMIN.
> 
> Signed-off-by: Richard Weinberger <richard@....at>
> ---
>  kernel/sysctl.c |   18 +++++++++++++++++-
>  1 files changed, 17 insertions(+), 1 deletions(-)
> 
> diff --git a/kernel/sysctl.c b/kernel/sysctl.c
> index 4eed0af..f90c8f6 100644
> --- a/kernel/sysctl.c
> +++ b/kernel/sysctl.c
> @@ -169,6 +169,11 @@ static int proc_taint(struct ctl_table *table, int write,
>  			       void __user *buffer, size_t *lenp, loff_t *ppos);
>  #endif
>  
> +#ifdef CONFIG_PRINTK
> +static int proc_dmesg_restrict(struct ctl_table *table, int write,
> +				void __user *buffer, size_t *lenp, loff_t *ppos);
> +#endif
> +
>  #ifdef CONFIG_MAGIC_SYSRQ
>  /* Note: sysrq code uses it's own private copy */
>  static int __sysrq_enabled = SYSRQ_DEFAULT_ENABLE;
> @@ -704,7 +709,7 @@ static struct ctl_table kern_table[] = {
>  		.data		= &dmesg_restrict,
>  		.maxlen		= sizeof(int),
>  		.mode		= 0644,
> -		.proc_handler	= proc_dointvec_minmax,
> +		.proc_handler	= proc_dmesg_restrict,
>  		.extra1		= &zero,
>  		.extra2		= &one,
>  	},
> @@ -2397,6 +2402,17 @@ static int proc_taint(struct ctl_table *table, int write,
>  	return err;
>  }
>  
> +#ifdef CONFIG_PRINTK
> +static int proc_dmesg_restrict(struct ctl_table *table, int write,
> +				void __user *buffer, size_t *lenp, loff_t *ppos)
> +{
> +	if (write && !capable(CAP_SYS_ADMIN))
> +		return -EPERM;
> +
> +	return proc_dointvec_minmax(table, write, buffer, lenp, ppos);
> +}
> +#endif
> +
>  struct do_proc_dointvec_minmax_conv_param {
>  	int *min;
>  	int *max;
> -- 
> 1.6.6.1


--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ