| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <8b3777bc-4cd5-4bf9-b8f2-f7ba1d596769@yandex.ru> Date: Wed, 24 Apr 2024 01:59:12 +0300 From: stsp <stsp2@...dex.ru> To: Stefan Metzmacher <metze@...ba.org>, linux-kernel@...r.kernel.org Cc: Eric Biederman <ebiederm@...ssion.com>, Alexander Viro <viro@...iv.linux.org.uk>, Andy Lutomirski <luto@...nel.org>, Christian Brauner <brauner@...nel.org>, Jan Kara <jack@...e.cz>, Jeff Layton <jlayton@...nel.org>, Chuck Lever <chuck.lever@...cle.com>, Alexander Aring <alex.aring@...il.com>, linux-fsdevel@...r.kernel.org, Paolo Bonzini <pbonzini@...hat.com>, Christian Göttsche <cgzones@...glemail.com>, Jens Axboe <axboe@...nel.dk> Subject: Re: [PATCH 2/2] openat2: add OA2_INHERIT_CRED flag 22.04.2024 22:53, Stefan Metzmacher пишет: > I'm wondering if it would be better to capture the whole cred structure. > > Similar to io_register_personality(), which uses get_current_cred(). > > Only using uid and gid, won't reflect any group memberships or > capabilities... I ended up posting v3 where the group memberships are added but the rest, including capabilities, is omitted to avoid security risks. Does adding just a groupinfo to the set of overridden members (which is now: fsuid, fsgid and group_info) address your concern? I really think that raising caps is far out of the scope for my approach, which aims to be safe and simple. Someone else can do that later, if need be.
Powered by blists - more mailing lists