From: "Serge E. Hallyn" <serue@us.ibm.com>
To: Andreas Dilger <adilger@sun.com>
Cc: "Aneesh Kumar K. V" <aneesh.kumar@linux.vnet.ibm.com>,
Jonathan Corbet <corbet@lwn.net>,
hch@infradead.org, viro@zeniv.linux.org.uk,
linux-fsdevel@vger.kernel.org
Subject: Re: [RFC PATCH] Generic name to handle and open by handle syscalls
Date: Fri, 26 Feb 2010 13:56:53 -0600 [thread overview]
Message-ID: <20100226195653.GA24861@us.ibm.com> (raw)
In-Reply-To: <AF27C78C-8540-4699-8065-A02215CE5921@sun.com>
Quoting Andreas Dilger (adilger@sun.com):
> On 2010-02-25, at 12:05, Serge E. Hallyn wrote:
> >Jipes! I was misunderstanding what you were doing with the struct
> >file_handle. Your use of the phrase 'guess handle for file' set me
> >straight. I thought you were encoding a file_handle into an fd using
> >sys_name_to_handle(), and passing that fd along over a unix sock -
> >so a
> >client would have to receive a validly opened fd to use it. If it can
> >just guess at a string, then yeah, please do hide that behind as much
> >privilege as you can!
>
> It seems to me that there are two different, though related, use
> cases. In some cases it would be desirable to allow "short lived"
> handles to be passed between processes, and in other cases it is
> necessary to have "long lived" handles.
Yes, but what do the client and server sides look like? Can this
be done using fds instead of file_handles? I.e. is requiring they
be sent over a unix sock ok? Probably not, but it seems worth
checking.
> For "short lived" or "strong" handles they should contain a
> capability that prevents arbitrary handles from being guessed, so
> such a handle could be used by any process, possibly for at most a
> limited duration or use count. For "long lived" handles, either the
> capability needs to be stored persistently so that it can be
> validated even after a server reboot, or the "weak" handles (without
> capabilities) that can be guessed should only be usable with
> CAP_DAC_OVERRIDE.
>
> >I take it then that the file_handles must be communicated over
> >something
> >other than unix socks (else you could just pass an fd and let the
> >client
> >either use the fd, or re-open /proc/self/fd/<fd>)? Would you be
> >able to
> >at least add a touch of randomness and hashing to make this
> >sa[fn]er and
> >turn this into a single-use capability? Or does that not fit your
> >usage
> >model? So the server would come up with some random bytes B,
> >calculate
> >H = hash(F|B) (hash of filename concatenated with random bytes),
> >pass F
> >and H along to client while storing F and B, so client can pass F
> >and H
> >to sys_open_by_handle() which confirms that that was a valid file
> >handle?
>
>
> Something like that. I'm not a security expert, and capability
> designs exist and I'd suggest we don't try to invent anything here.
All the better :)
-serge
next prev parent reply other threads:[~2010-02-26 19:57 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-02-19 5:42 [RFC PATCH] Generic name to handle and open by handle syscalls Aneesh Kumar K.V
2010-02-19 5:42 ` [RFC PATCH 1/3] vfs: Add name to file handle conversion support Aneesh Kumar K.V
2010-02-20 18:15 ` Andreas Dilger
2010-02-22 5:15 ` Aneesh Kumar K. V
2010-02-19 5:42 ` [RFC PATCH 2/3] vfs: Add open by file handle support Aneesh Kumar K.V
2010-02-20 18:58 ` Andreas Dilger
2010-02-20 20:13 ` Brad Boyer
[not found] ` <FB88A140-C2EB-4E62-9769-D2524C874C8C@sun.com>
2010-02-22 2:46 ` Brad Boyer
2010-02-26 19:21 ` J. Bruce Fields
2010-02-28 17:55 ` Andreas Dilger
2010-02-28 19:00 ` J. Bruce Fields
2010-03-01 18:25 ` Oleg Drokin
2010-03-01 21:25 ` J. Bruce Fields
2010-02-22 6:13 ` Aneesh Kumar K. V
2010-02-22 6:31 ` Dave Chinner
2010-02-26 19:24 ` J. Bruce Fields
2010-02-19 5:42 ` [RFC PATCH 3/3] x86: Add new syscalls for x86_32 Aneesh Kumar K.V
2010-02-19 9:34 ` [RFC PATCH] Generic name to handle and open by handle syscalls Andreas Dilger
2010-02-19 9:49 ` Aneesh Kumar K. V
2010-02-20 19:01 ` Andreas Dilger
2010-02-22 6:27 ` Aneesh Kumar K. V
2010-02-22 23:06 ` Jonathan Corbet
2010-02-23 0:56 ` James Morris
2010-02-23 8:58 ` Aneesh Kumar K. V
2010-02-23 19:46 ` Jonathan Corbet
2010-02-24 0:49 ` Dave Chinner
2010-02-25 4:53 ` Serge E. Hallyn
2010-02-25 14:30 ` Jonathan Corbet
2010-02-25 15:19 ` Serge E. Hallyn
2010-02-25 17:55 ` Aneesh Kumar K. V
2010-02-25 18:11 ` Serge E. Hallyn
2010-02-25 18:20 ` Aneesh Kumar K. V
2010-02-25 19:05 ` Serge E. Hallyn
2010-02-26 9:12 ` Andreas Dilger
2010-02-26 19:56 ` Serge E. Hallyn [this message]
-- strict thread matches above, loose matches on Subject: below --
2010-03-11 13:14 DENIEL Philippe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20100226195653.GA24861@us.ibm.com \
--to=serue@us.ibm.com \
--cc=adilger@sun.com \
--cc=aneesh.kumar@linux.vnet.ibm.com \
--cc=corbet@lwn.net \
--cc=hch@infradead.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.