| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20130822185317.GI31117@1wt.eu> Date: Thu, 22 Aug 2013 20:53:17 +0200 From: Willy Tarreau <w@....eu> To: Linus Torvalds <torvalds@...ux-foundation.org> Cc: Andy Lutomirski <luto@...capital.net>, "security@...nel.org" <security@...nel.org>, Ingo Molnar <mingo@...nel.org>, Linux Kernel Mailing List <linux-kernel@...r.kernel.org>, Oleg Nesterov <oleg@...hat.com>, Al Viro <viro@...iv.linux.org.uk>, Linux FS Devel <linux-fsdevel@...r.kernel.org>, Brad Spengler <spender@...ecurity.net> Subject: Re: [PATCH v2] vfs: Tighten up linkat(..., AT_EMPTY_PATH) On Thu, Aug 22, 2013 at 11:48:10AM -0700, Linus Torvalds wrote: > On Wed, Aug 21, 2013 at 12:14 PM, Andy Lutomirski <luto@...capital.net> wrote: > > > > So let's be careful for now: only allow linkat(..., AT_EMPTY_PATH) > > if the target is I_LINKABLE. > > So I really detest this just because it's such a special case. Now > this is only useful for that one special case, and the thing very > fundamentally checks that one special case in a place that is > impossible to check for the /proc case, so the proc case remains > totally separate. > > Which just bothers me. > > I think we could easily at least allow the "file->f_creds == > current->creds" case (and yes, I literally mean comparing the pointers > - not only is it cheaper, but it literally means "nothing odd has > happened in between opening and the lookup"). > > And I'm wondering if we shouldn't actually do that at "path_init" > time. Right now the code says: > > /* Caller must check execute permissions on the > starting path component */ > struct fd f = fdget_raw(dfd); > > and then uses the struct file mindlessly. > > I'm wondering if we should just do some validation in that place, and say: > > - for directories, we require exec permissions here > - for everything else, we require that f->f_cred == current->cred check. > > I dunno. But that I_LINKABLE thing just bothers me. It screams "I'm > hacky" to me. I agreed, simply because the condition here is different from the one in /proc. I have read some code last evening to try to understand how /proc/pid/fd entries were granted access to various processes, because I would love to see the same condition being used in both places. Unfortunately, it's beyond my skills, and I stopped after my random attempts gave me some panics. Willy -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists