| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <YFlMJ12+3/MpYixW@kernel.org>
Date: Tue, 23 Mar 2021 04:02:15 +0200
From: Jarkko Sakkinen <jarkko@...nel.org>
To: Andrey Ryabinin <arbn@...dex-team.ru>,
David Howells <dhowells@...hat.com>
Cc: James Morris <jmorris@...ei.org>,
"Serge E. Hallyn" <serge@...lyn.com>, keyrings@...r.kernel.org,
linux-security-module@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] keys: Allow disabling read permissions for key possessor
On Mon, Mar 22, 2021 at 12:57:26PM +0300, Andrey Ryabinin wrote:
> keyctl_read_key() has a strange code which allows possessor to read
> key's payload regardless of READ permission status:
>
> $ keyctl add user test test @u
> 196773443
> $ keyctl print 196773443
> test
> $ keyctl describe 196773443
> 196773443: alswrv-----v------------ 1000 1000 user: test
> $ keyctl rdescribe 196773443
> user;1000;1000;3f010000;test
> $ keyctl setperm 196773443 0x3d010000
> $ keyctl describe 196773443
> 196773443: alsw-v-----v------------ 1000 1000 user: test
> $ keyctl print 196773443
> test
>
> The last keyctl print should fail with -EACCESS instead of success.
> Fix this by removing weird possessor checks.
>
> Signed-off-by: Andrey Ryabinin <arbn@...dex-team.ru>
I wrote a new test. If you include a test into a commit please
describe it so that it can be easily executed. Otherwise, it is
somewhat useless.
Anyway,
https://gist.github.com/jarkk0sakkinen/7b417be20cb52ed971a90561192f0883
David, why all of these end up allowing to still print the payload?
/Jarkko
Powered by blists - more mailing lists