lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 14 Sep 2021 11:01:00 -0400
From:   Bruce Fields <bfields@...hat.com>
To:     Vivek Goyal <vgoyal@...hat.com>
Cc:     Casey Schaufler <casey@...aufler-ca.com>,
        "Dr. David Alan Gilbert" <dgilbert@...hat.com>,
        Alexander Viro <viro@...iv.linux.org.uk>,
        linux-fsdevel <linux-fsdevel@...r.kernel.org>,
        LKML <linux-kernel@...r.kernel.org>, virtio-fs@...hat.com,
        Daniel Walsh <dwalsh@...hat.com>,
        Christian Brauner <christian.brauner@...ntu.com>,
        Casey Schaufler <casey.schaufler@...el.com>,
        LSM <linux-security-module@...r.kernel.org>,
        selinux@...r.kernel.org, "Theodore Ts'o" <tytso@....edu>,
        Miklos Szeredi <miklos@...redi.hu>,
        Giuseppe Scrivano <gscrivan@...hat.com>,
        stephen.smalley.work@...il.com,
        Andreas Gruenbacher <agruenba@...hat.com>,
        Dave Chinner <david@...morbit.com>
Subject: Re: [PATCH v3 0/1] Relax restrictions on user.* xattr

On Tue, Sep 14, 2021 at 10:32 AM Vivek Goyal <vgoyal@...hat.com> wrote:
> open_by_handle_at() requires CAP_DAC_READ_SEARCH.

Or some sort of access to the network.  If you can send rpc requests
to the nfs server that appear to be from someone with access to the
export, you can guess filehandles that allow access to objects under
that directory.  You'll need access to particular objects, but you
won't need read or lookup access to the directory.

You can prevent that if you set things up right, but these
filehandle-issues are poorly understood, and people often forget to
take them into account.

--b.

> And if you have
> CAP_DAC_READ_SEARCH, you don't need to even guess file handles. You
> should be able to read/search through all directories, IIUC.
>
> So how does one make sure that shared directory on host is not
> accessible to unprivileged entities. If making directory accessible
> to root only is weaker security, what are the options for stronger
> security.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ