lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <8b3777bc-4cd5-4bf9-b8f2-f7ba1d596769@yandex.ru>
Date: Wed, 24 Apr 2024 01:59:12 +0300
From: stsp <stsp2@...dex.ru>
To: Stefan Metzmacher <metze@...ba.org>, linux-kernel@...r.kernel.org
Cc: Eric Biederman <ebiederm@...ssion.com>,
 Alexander Viro <viro@...iv.linux.org.uk>, Andy Lutomirski <luto@...nel.org>,
 Christian Brauner <brauner@...nel.org>, Jan Kara <jack@...e.cz>,
 Jeff Layton <jlayton@...nel.org>, Chuck Lever <chuck.lever@...cle.com>,
 Alexander Aring <alex.aring@...il.com>, linux-fsdevel@...r.kernel.org,
 Paolo Bonzini <pbonzini@...hat.com>,
 Christian Göttsche <cgzones@...glemail.com>,
 Jens Axboe <axboe@...nel.dk>
Subject: Re: [PATCH 2/2] openat2: add OA2_INHERIT_CRED flag

22.04.2024 22:53, Stefan Metzmacher пишет:
> I'm wondering if it would be better to capture the whole cred structure.
>
> Similar to io_register_personality(), which uses get_current_cred().
>
> Only using uid and gid, won't reflect any group memberships or 
> capabilities... 
I ended up posting v3 where the
group memberships are added but
the rest, including capabilities, is
omitted to avoid security risks.

Does adding just a groupinfo to the
set of overridden members (which is
now: fsuid, fsgid and group_info) address
your concern?
I really think that raising caps is far
out of the scope for my approach, which
aims to be safe and simple. Someone
else can do that later, if need be.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ