lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <202110151437.25B5543@keescook>
Date:   Fri, 15 Oct 2021 14:40:03 -0700
From:   Kees Cook <keescook@...omium.org>
To:     Christian Brauner <christian.brauner@...ntu.com>
Cc:     Rob Landley <rob@...dley.net>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        Linux FS Devel <linux-fsdevel@...r.kernel.org>
Subject: Re: The one and only "permission denied" in find /sys

On Fri, Oct 15, 2021 at 11:14:47AM +0200, Christian Brauner wrote:
> On Wed, Oct 13, 2021 at 06:48:26PM -0700, Kees Cook wrote:
> > 
> > 
> > On October 13, 2021 1:12:16 PM PDT, Rob Landley <rob@...dley.net> wrote:
> > >There is exactly one directory in the whole of sysfs that a normal user can't
> > >read (at least on my stock devuan laptop):
> > >
> > >  $ find /sys -name potato
> > >  find: ‘/sys/fs/pstore’: Permission denied
> > >
> > >It's the "pstore" filesystem, it was explicitly broken by commit d7caa33687ce,
> > >and the commit seems to say this was to fix an issue that didn't exist yet but
> > >might someday.
> > 
> > Right, so, the problem did certainly exist: there was a capability check for opening the files, which made it difficult for pstore collector tools to run with sane least privileges. Adjusting the root directory was the simplest way to keep the files secure by default, and allow a system owner the ability to delegate collector permissions to a user or group via just a chmod on the root directory.
> > 
> > >Did whatever issue it was concerned about ever actually start happening? Why did
> > >you not change the permissions on the files _in_ the directory so they weren't
> > >world readable instead? Should /dev/shm stop being world ls-able as well?
> > 
> > Making the per-file permissions configurable at runtime was more complex for little additional gain.
> > 
> > /dev/shm has the benefit of having an existing permission model for each created file.
> > 
> > I wouldn't be opposed to a mount option to specify the default file owner/group, but it makes user space plumbing more difficult (i.e. last I checked, stuff like systemd tends to just mount kernel filesystems without options).
> 
> Hm, no, we do mount kernel filesystems with different options. :)
> So if pstore gains an option that could be changed pretty easily. Unless
> you meant something else by kernel filesystems. :)
> 
> static const MountPoint mount_table[] = {
         ^^^^^

right, I should have been more clear. I haven't seen a way for systemd
users to specify different mount options for "kernel filesystems".

> [...]
>         { "pstore",      "/sys/fs/pstore",            "pstore",     NULL,                                      MS_NOSUID|MS_NOEXEC|MS_NODEV,
>           NULL,          MNT_NONE                   },

If it will do /etc/fstab merging, then sure, I'd be open to taking
patches that would make the file ownership/group be mount-time
configurable.

-- 
Kees Cook

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ