| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <d1eed411-789a-48ec-8468-8e5005fff909@yandex.ru>
Date: Tue, 28 Jan 2025 17:58:40 +0300
From: stsp <stsp2@...dex.ru>
To: Ondrej Mosnacek <omosnace@...hat.com>,
Willem de Bruijn <willemdebruijn.kernel@...il.com>
Cc: Willem de Bruijn <willemb@...gle.com>, Jason Wang <jasowang@...hat.com>,
Jakub Kicinski <kuba@...nel.org>, network dev <netdev@...r.kernel.org>,
Linux Security Module list <linux-security-module@...r.kernel.org>,
SElinux list <selinux@...r.kernel.org>
Subject: Re: Possible mistake in commit 3ca459eaba1b ("tun: fix group
permission check")
28.01.2025 17:45, stsp пишет:
> 28.01.2025 17:20, Ondrej Mosnacek пишет:
>> That could work, but the semantics become a bit weird, actually: When
>> you set both uid and gid, one of them needs to match. If you unset
>> uid/gid, you get a stricter condition (gid/uid must match). And if you
>> then also unset the other one, you suddenly get a less strict
>> condition than the first two - nothing has to match.
> Maybe this means that
> unsetting with -1 is something
> that shouldn't be done and/or
> allowed?
> In this case you only stricten.
> Modulo the inability to set both
> user/group at the same time,
> so you still get "less strict" when
> setting group after user already
> set...
It may actually be possible to
add the ioctl to set both at once.
In this case you also reset both
(with the same ioctl or add another
one for resetting both), which
makes the problem fully solved.
Powered by blists - more mailing lists