From: Jason Gunthorpe <jgunthorpe-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org>
To: Yann Droneaud <ydroneaud-RlY5vtjFyJ3QT0dZR+AlfA@public.gmane.org>
Cc: linux-rdma-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
Subject: Re: [PATCH 3/3] read_config: skip file/directory with unsecure permissions
Date: Mon, 12 Aug 2013 14:39:35 -0600 [thread overview]
Message-ID: <20130812203935.GA8990@obsidianresearch.com> (raw)
In-Reply-To: <8d276f12593ddc79233fa41abdaf0d41-zgzEX58YAwA@public.gmane.org>
On Mon, Aug 12, 2013 at 10:24:55PM +0200, Yann Droneaud wrote:
> It's an installation error that can allow an attackant to tamper
> the configuration files. Once the configuration files are modified
> to load a payload, the attackant can either trick root to execute
> a verbs/RDMA program or use a verbs/RDMA setuid program to gain root
> access.
libibverbs does not have to defend itself against installation
errors. If you install stuff wrong, with the wrong permissions, you
will have an insecure system.
You have added checks for a single set of permissions, but there are
many other permissions that must also be correct to be secure for
setuid.
Fundamentally it is not the Unix Way to enforce security policy in
code.
> We don't have to wait for exploit to secure the loading mechanism of
> libibverbs.
What possible exploit? If installed properly the code is already
correct and not exploitable.
You are not fixing *ANYTHING* exploitable here. You are mis-applying
the CWE's you quoted. They fundamentally do not apply when all the
path components have secure permissions.
> >In any event, if these checks really are necessary they should be only
> >done if running in a setuid context, and they almost certainly need to
> >extend to the dlopen paths as well..
> They need to be done when the configuration files are owned by a
> different user that the one using the library (eg. running a program
> tied to the library).
No, that is not the Unix Way.
Only the setuid case ever needs special handling, and that handling
should be designed to prevent the unprivileged user from co-opting the
program while it is running as root.
All other case, including running verbs non-setuid as root, should
respect the normal permission systems.
> I put the emphasis on setuid use case, but a program run as root
> using configuration file owned by another user is more likely to
> happen (for devel, test purpose).
This should work fine as well. It is the sysadmin's choice to install
the config files under alternate permissions.
Funamentally a library should not enforce security policy if it not
necessary to do so.
Jason
--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2013-08-12 20:39 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-05-20 21:43 [PATCH 0/3] make read_config() more robust Yann Droneaud
[not found] ` <cover.1369085762.git.ydroneaud-RlY5vtjFyJ3QT0dZR+AlfA@public.gmane.org>
2013-05-20 21:43 ` [PATCH 1/3] read_config: ignore files beginning with '.' Yann Droneaud
2013-05-20 21:43 ` [PATCH 2/3] read_config: ignore directory entry with backup suffix (~) Yann Droneaud
2013-05-20 21:43 ` [PATCH 3/3] read_config: skip file/directory with unsecure permissions Yann Droneaud
[not found] ` <0a6888edc9d7899fe3b4af249c4f25088e196422.1369085762.git.ydroneaud-RlY5vtjFyJ3QT0dZR+AlfA@public.gmane.org>
2013-05-21 20:57 ` Jason Gunthorpe
[not found] ` <20130521205713.GB11318-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org>
2013-08-08 19:24 ` Yann Droneaud
[not found] ` <1375989856.27609.10.camel-bi+AKbBUZKY6gyzm1THtWbp2dZbC/Bob@public.gmane.org>
2013-08-12 19:05 ` Jason Gunthorpe
[not found] ` <20130812190545.GA7968-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org>
2013-08-12 20:24 ` Yann Droneaud
[not found] ` <8d276f12593ddc79233fa41abdaf0d41-zgzEX58YAwA@public.gmane.org>
2013-08-12 20:39 ` Jason Gunthorpe [this message]
[not found] ` <20130812203935.GA8990-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org>
2013-08-12 20:59 ` Hefty, Sean
[not found] ` <1828884A29C6694DAF28B7E6B8A8237388CA54FE-P5GAC/sN6hkd3b2yrw5b5LfspsVTdybXVpNB7YpNyf8@public.gmane.org>
2013-08-12 23:43 ` Jason Gunthorpe
2013-05-22 21:32 ` Roland Dreier
[not found] ` <CAL1RGDX+XTMmwDQicztdJoq0oE0VfXvg5dhW8k-YEk38-vg6fw-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2013-08-08 10:12 ` Yann Droneaud
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130812203935.GA8990@obsidianresearch.com \
--to=jgunthorpe-epgobjl8dl3ta4ec/59zmfatqe2ktcn/@public.gmane.org \
--cc=linux-rdma-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=ydroneaud-RlY5vtjFyJ3QT0dZR+AlfA@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.