lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4FD76D57.5020709@redhat.com>
Date:	Tue, 12 Jun 2012 18:24:55 +0200
From:	Paolo Bonzini <pbonzini@...hat.com>
To:	James Bottomley <James.Bottomley@...senPartnership.com>
CC:	linux-kernel@...r.kernel.org, axboe@...nel.dk,
	linux-scsi@...r.kernel.org
Subject: Re: [PATCH] scsi: allow persistent reservations without CAP_SYS_RAWIO

Il 12/06/2012 18:21, James Bottomley ha scritto:
>> > Persistent reservations commands cannot be issued right now without
>> > giving CAP_SYS_RAWIO to the process who wishes to send them.  This
>> > is a bit heavy-handed, allow these two commands.
>
> Why is this heavy handed?  If you remove CAP_SYS_RAWIO, any userspace
> process can send these, which would allow any user to completely disrupt
> a SAN by injecting spurious reservations ... that doesn't look to be
> terribly safe for an operating system running in a data centre.

It is heavy-handed because:

1) there are still other protections such as DAC (both Unix permissions
and ACLs) and SELinux; CAP_SYS_RAWIO is effectively the same as root.

2) if any user could disrupt the SAN by injecting spurious reservations
just by having his laptop's root password, that data centre wouldn't be
terribly safe to begin with.

Paolo
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ