lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon, 2 Nov 2015 11:57:26 -0800 From: Andy Lutomirski <luto@...capital.net> To: Serge Hallyn <serge.hallyn@...ntu.com> Cc: Dirk Steinmetz <public@...tdrjgfuzkfg.com>, Seth Forshee <seth.forshee@...onical.com>, Alexander Viro <viro@...iv.linux.org.uk>, Linux FS Devel <linux-fsdevel@...r.kernel.org>, "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>, "Eric W. Biederman" <ebiederm@...ssion.com>, Kees Cook <keescook@...omium.org>, Serge Hallyn <serge.hallyn@...onical.com> Subject: Re: [PATCH] namei: permit linking with CAP_FOWNER in userns On Mon, Nov 2, 2015 at 10:02 AM, Serge Hallyn <serge.hallyn@...ntu.com> wrote: > Quoting Dirk Steinmetz (public@...tdrjgfuzkfg.com): >> >> > We've already dealt with such regressions and iirc agreed that they were >> > worthwhile. >> Would you prefer to not fix the issue at all, then? Or would you prefer to > > No. I think I was saying I think it's worth adding the 'gid must be mapped' > requirement. > > And I was saying that changing the capability needed is not ok. > >> add a new value on /proc/sys/fs/protected_hardlinks -- which would still >> cause the symptoms you describe on distributions using the new value, but >> would be more easy to change for users knowing that this is an issue? >> >> I personally still favor changing the behavior and documentation over a new >> value there, as -- once identified by the user -- the user can easily adapt > > I agree. > > Note the difference - changing the capability required to link the > file can affect (probably rare, but definately) normal, non-user-namespace > setups. Changing the link requirements in a user namespace so that gid > must be mapped only affects a case which we've previously said should not > be supported. I think it would have no effect at all on setups that don't use userns, so at least the exposure to potential ABI issues would be small. > > Linus may still disagree - not changing what userspace can do is pretty > fundamental, but this was purely a missed security fix iiuc. IIRC I just didn't do it because I didn't want to think about it at the time, and it didn't look like a *big* security issue. --Andy -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists