lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <BY5PR10MB41292A8AD879B726CC3D91DAC4BA9@BY5PR10MB4129.namprd10.prod.outlook.com>
Date:   Fri, 10 Mar 2023 20:47:56 +0000
From:   Anjali Kulkarni <anjali.k.kulkarni@...cle.com>
To:     Christian Brauner <brauner@...nel.org>
CC:     "davem@...emloft.net" <davem@...emloft.net>,
        "edumazet@...gle.com" <edumazet@...gle.com>,
        "kuba@...nel.org" <kuba@...nel.org>,
        "pabeni@...hat.com" <pabeni@...hat.com>,
        "zbr@...emap.net" <zbr@...emap.net>,
        "johannes@...solutions.net" <johannes@...solutions.net>,
        "ecree.xilinx@...il.com" <ecree.xilinx@...il.com>,
        "leon@...nel.org" <leon@...nel.org>,
        "keescook@...omium.org" <keescook@...omium.org>,
        "socketcan@...tkopp.net" <socketcan@...tkopp.net>,
        "petrm@...dia.com" <petrm@...dia.com>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        "netdev@...r.kernel.org" <netdev@...r.kernel.org>,
        Anjali Kulkarni <anjali.k.kulkarni@...cle.com>
Subject: Re: [PATCH 4/5] connector/cn_proc: Allow non-root users access



________________________________________
From: Christian Brauner <brauner@...nel.org>
Sent: Thursday, March 9, 2023 9:09 AM
To: Anjali Kulkarni
Cc: davem@...emloft.net; edumazet@...gle.com; kuba@...nel.org; pabeni@...hat.com; zbr@...emap.net; johannes@...solutions.net; ecree.xilinx@...il.com; leon@...nel.org; keescook@...omium.org; socketcan@...tkopp.net; petrm@...dia.com; linux-kernel@...r.kernel.org; netdev@...r.kernel.org
Subject: Re: [PATCH 4/5] connector/cn_proc: Allow non-root users access

On Wed, Mar 08, 2023 at 07:19:52PM -0800, Anjali Kulkarni wrote:
> The patch allows non-root users to receive cn proc connector
> notifications, as anyone can normally get process start/exit status from
> /proc. The reason for not allowing non-root users to receive multicast
> messages is long gone, as described in this thread:
> https://urldefense.com/v3/__https://linux-kernel.vger.kernel.narkive.com/CpJFcnra/multicast-netlink-for-non-root-process__;!!ACWV5N9M2RV99hQ!NKjh44Qy5cy18bhIbdhHlHeA1w_i-N5u2PdbQPRTobAEUYW8ZiQ8hkOxaojiLWmq3POJ2k4DaD3CtyC9-C3Cnoo$

Sorry that thread is kinda convoluted. Could you please provide a
summary in the commit message and explain why this isn't an issue
anymore?

ANJALI> Looking into this some more, I think that instead of adding non-root access for all NETLINK_CONNECTOR users by including the flag NL_CFG_F_NONROOT_RECV, we could make this change at an even more fine grained level than protocol level. So I will add a check to enable non-root access only for event notification (cn_proc) user of NETLINK_CONNECTOR, based on the multicast group. Since CONNECTOR is very generic and could be used for varied purposes, a more fine grained approach may be required here. I will send the next patch series with this change.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ