lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <523C753A.8040401@suse.cz>
Date:	Fri, 20 Sep 2013 18:18:02 +0200
From:	Jiri Slaby <jslaby@...e.cz>
To:	David Miller <davem@...emloft.net>
CC:	ben@...adent.org.uk, akpm@...ux-foundation.org, jeffm@...e.com,
	netdev@...r.kernel.org, isdn4linux@...pen.de, isdn@...ux-pingi.de,
	sergei.shtylyov@...entembedded.com
Subject: Re: [patch 2/4] mISDN: add support for group membership check

On 09/20/2013 06:15 PM, David Miller wrote:
> From: Jiri Slaby <jslaby@...e.cz>
> Date: Fri, 20 Sep 2013 18:14:28 +0200
> 
>> On 09/20/2013 05:56 PM, David Miller wrote:
>>> From: Jiri Slaby <jslaby@...e.cz>
>>> Date: Fri, 20 Sep 2013 15:44:33 +0200
>>>
>>>> On 09/15/2013 01:28 AM, Ben Hutchings wrote:
>>>>>> @@ -694,6 +699,10 @@ base_sock_ioctl(struct socket *sock, uns 
>>>>>> case IMSETDEVNAME: { struct mISDN_devrename dn; +		if
>>>>>> (!capable(CAP_SYS_ADMIN) && +				!gid_eq(misdn_permitted_gid,
>>>>>> current_gid()) && +				!in_group_p(misdn_permitted_gid)) +
>>>>>> return -EPERM; if (copy_from_user(&dn, (void __user *)arg, 
>>>>>> sizeof(dn))) { err = -EFAULT;
>>>>>
>>>>> This seems to be the important bit: renaming of devices (if allowed
>>>>> at all) ought to be limited to CAP_SYS_ADMIN or possibly
>>>>> CAP_NET_ADMIN. But why should the group that is allowed to use
>>>>> mISDN data sockets also be allowed to do this?
>>>>
>>>> This is based on an old patch we are dragging in SUSE since 2009:
>>>> http://www.isdn4linux.de/pipermail/isdn4linux/2009-December/004493.html
>>>> https://bugzilla.novell.com/show_bug.cgi?id=564423
>>>>
>>>> The whole point of the gid-based access was to still allow some user
>>>> group to manipulate the device in an arbitrary way.
>>>>
>>>> So if everybody agrees I will just disallow rename to
>>>> non-CAP_NET_ADMIN users and we are done?
>>>
>>> No we are not done, sorry.
>>>
>>> Having a device specific module parameter for this is wrong on several
>>> fundamental levels.
>>
>> What I'm suggesting is just to put a !capable(CAP_NET_ADMIN) test into
>> the rename path and nothing more.
> 
> And I'm saying that regardless of such a change, the patch itself
> is fundamentally implemented incorrectly and not acceptable for
> upstream inclusion until the interface for configuration is changed.

Ok, let's leave the hole in there then.

-- 
js
suse labs
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ