lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20140508142939.201b3e07@nehalam.linuxnetplumber.net>
Date:	Thu, 8 May 2014 14:29:39 -0700
From:	Stephen Hemminger <stephen@...workplumber.org>
To:	Linus Torvalds <torvalds@...ux-foundation.org>
Cc:	Andy Lutomirski <luto@...capital.net>,
	David Miller <davem@...emloft.net>,
	"Jorge Boncompte [DTI2]" <jorge@...2.net>,
	"Eric W. Biederman" <ebiederm@...ssion.com>,
	Vivek Goyal <vgoyal@...hat.com>,
	Simo Sorce <ssorce@...hat.com>,
	"security@...nel.org" <security@...nel.org>,
	Network Development <netdev@...r.kernel.org>,
	"Serge E. Hallyn" <serge@...lyn.com>
Subject: Re: [PATCH 5/5] net: Use netlink_ns_capable to verify the
 permisions of netlink messages

On Wed, 7 May 2014 16:34:08 -0700
Linus Torvalds <torvalds@...ux-foundation.org> wrote:

> On Wed, May 7, 2014 at 4:01 PM, Andy Lutomirski <luto@...capital.net> wrote:
> >
> > I agree that it should, but it doesn't, and if these patches get
> > backported, things will break.  OTOH, if the patches don't get
> > backported, things may still break, and we have a possibly rather
> > severe unfixed vulnerability.
> 
> How did this *use* to work? It looks like it drops permissions after
> the bind(), so the actual _IO_ must have always been done without
> permissions, no?
> 
> Is it just a bind-time permission check that is now failing, because
> it uses the credentials associated with the socket open? If so, I'd
> suggest unding just the ns-capable change for bind(), and make that
> one always use the current process effective one.
> 
> If you're a suid application, you're not doing "bind()" on random file
> descriptors that were passed to you. It's really just read/write that
> need to be careful.
> 
>             Linus

Quagga drops privileges at startup then selectively raises them.
The code is doing raise caps in netlink code for bind and each sendto
and recvmsg call.

Ideally it should be able to not have to raise/lower on each send/recvmsg
call.


--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ