From: Al Viro <viro@ZenIV.linux.org.uk>
To: Vasiliy Kulikov <segooon@gmail.com>
Cc: kernel-janitors@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: check capabilities in open()
Date: Sat, 24 Jul 2010 18:23:56 +0000 [thread overview]
Message-ID: <20100724182355.GA9134@ZenIV.linux.org.uk> (raw)
In-Reply-To: <20100724160701.GA4907@albatros>
On Sat, Jul 24, 2010 at 08:07:01PM +0400, Vasiliy Kulikov wrote:
> Hi,
>
> I've found that some drivers check process capabilities via capable() in
> open(), not in ioctl()/write()/etc.
>
> I cannot find answer in POSIX, but IMO process expects that file
> descriptors of priviledged user and file descriptors of the same
> file/device are the same in priviledge aspect. Driver should deny/allow
> open() and deny/allow ioctl() based on user priviledges. The path how
> the process gained this fd doesn't matter.
>
> So I think these 2 examples should be equal:
>
> 1) root process opened the file and then dropped its priviledges
>
> 2) nonroot process opened the file
They most certainly should _not_. Consider the following mechanism:
process A authenticates itself to process B
B is convinced to open a file that wouldn't be readable for A.
B passes descriptor to A.
A reads from it.
You are breaking that.
WARNING: multiple messages have this Message-ID (diff)
From: Al Viro <viro@ZenIV.linux.org.uk>
To: Vasiliy Kulikov <segooon@gmail.com>
Cc: kernel-janitors@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: check capabilities in open()
Date: Sat, 24 Jul 2010 19:23:56 +0100 [thread overview]
Message-ID: <20100724182355.GA9134@ZenIV.linux.org.uk> (raw)
In-Reply-To: <20100724160701.GA4907@albatros>
On Sat, Jul 24, 2010 at 08:07:01PM +0400, Vasiliy Kulikov wrote:
> Hi,
>
> I've found that some drivers check process capabilities via capable() in
> open(), not in ioctl()/write()/etc.
>
> I cannot find answer in POSIX, but IMO process expects that file
> descriptors of priviledged user and file descriptors of the same
> file/device are the same in priviledge aspect. Driver should deny/allow
> open() and deny/allow ioctl() based on user priviledges. The path how
> the process gained this fd doesn't matter.
>
> So I think these 2 examples should be equal:
>
> 1) root process opened the file and then dropped its priviledges
>
> 2) nonroot process opened the file
They most certainly should _not_. Consider the following mechanism:
process A authenticates itself to process B
B is convinced to open a file that wouldn't be readable for A.
B passes descriptor to A.
A reads from it.
You are breaking that.
next prev parent reply other threads:[~2010-07-24 18:23 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-07-24 16:07 check capabilities in open() Vasiliy Kulikov
2010-07-24 16:07 ` Vasiliy Kulikov
2010-07-24 18:23 ` Al Viro [this message]
2010-07-24 18:23 ` Al Viro
2010-07-25 5:45 ` Vasiliy Kulikov
2010-07-25 5:45 ` Vasiliy Kulikov
2010-07-25 9:23 ` Vasiliy Kulikov
2010-07-25 9:23 ` Vasiliy Kulikov
2010-07-26 11:23 ` Ted Ts'o
2010-07-26 11:23 ` Ted Ts'o
2010-07-26 16:52 ` Vasiliy Kulikov
2010-07-26 16:52 ` Vasiliy Kulikov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20100724182355.GA9134@ZenIV.linux.org.uk \
--to=viro@zeniv.linux.org.uk \
--cc=kernel-janitors@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=segooon@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.