From: Oleg Nesterov <oleg@redhat.com>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Willy Tarreau <w@1wt.eu>, Al Viro <viro@zeniv.linux.org.uk>,
Andy Lutomirski <luto@amacapital.net>,
"security@kernel.org" <security@kernel.org>,
Ingo Molnar <mingo@kernel.org>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
Linux FS Devel <linux-fsdevel@vger.kernel.org>,
Brad Spengler <spender@grsecurity.net>
Subject: Re: /proc/pid/fd && anon_inode_fops
Date: Mon, 26 Aug 2013 17:33:01 +0200 [thread overview]
Message-ID: <20130826153301.GA15890@redhat.com> (raw)
In-Reply-To: <CA+55aFzbY3zYD1i5x02Z-6K3nHKzJj6227ZBYRLqij9y0eXRqQ@mail.gmail.com>
On 08/25, Linus Torvalds wrote:
>
> On Sun, Aug 25, 2013 at 12:48 PM, Oleg Nesterov <oleg@redhat.com> wrote:
> >
> > pid_revalidate() does inode->i_*id = GLOBAL_ROOT_*ID if task_dumpable()
> > fails, but it can fail simply because ->mm = NULL.
> >
> > This means that almost everything in /proc/zombie-pid/ becomes root.
> > Doesn't really hurt, but for what? Looks a bit strange imho.
>
> The zombie case shouldn't be relevant, because a zombie will have
> closed all the file descriptors anyway, so they no longer exist.
I specially mentioned that this is off-topic ;)
> That said, task_dumpable isn't wonderful, and I suspect we could drop
> that logic entirely in the tid-fd case if we just use f_cred.
Probably yes, but I do not understand this S_IFLNK && uid/chmod magic
in tid_fd_revalidate(). And afaics this should not affect readlink()
anyway. So yes, ->f_cred makes more sense to me, but I can't comment.
But, afaics, speaking of task_dumpable() this doesn't matter. Please
forget about /proc/fd or zombies. I can't even understand
proc_pid_make_inode() or pid_revalidate().
$ id
uid=1000(tst) gid=100(users) groups=100(users)
$ cp `which ls` ls
$ chmod a-r ./ls
$
$ ./ls -l /proc/self/
total 0
-r-------- 1 root root 0 Aug 26 06:35 auxv
-r--r--r-- 1 root root 0 Aug 26 06:35 cgroup
--w------- 1 root root 0 Aug 26 06:35 clear_refs
-r--r--r-- 1 root root 0 Aug 26 06:35 cmdline
-rw-r--r-- 1 root root 0 Aug 26 06:35 comm
-rw-r--r-- 1 root root 0 Aug 26 06:35 coredump_filter
lrwxrwxrwx 1 root root 0 Aug 26 06:35 cwd -> /home/tst
-r-------- 1 root root 0 Aug 26 06:35 environ
lrwxrwxrwx 1 root root 0 Aug 26 06:35 exe -> /home/tst/ls
dr-x------ 2 root root 0 Aug 26 06:35 fd
dr-x------ 2 root root 0 Aug 26 06:35 fdinfo
-rw-r--r-- 1 root root 0 Aug 26 06:35 gid_map
-r--r--r-- 1 root root 0 Aug 26 06:35 limits
-r--r--r-- 1 root root 0 Aug 26 06:35 maps
-rw------- 1 root root 0 Aug 26 06:35 mem
-r--r--r-- 1 root root 0 Aug 26 06:35 mountinfo
-r--r--r-- 1 root root 0 Aug 26 06:35 mounts
-r-------- 1 root root 0 Aug 26 06:35 mountstats
dr-xr-xr-x 4 tst users 0 Aug 26 06:35 net
dr-x--x--x 2 root root 0 Aug 26 06:35 ns
-rw-r--r-- 1 root root 0 Aug 26 06:35 oom_adj
-r--r--r-- 1 root root 0 Aug 26 06:35 oom_score
-rw-r--r-- 1 root root 0 Aug 26 06:35 oom_score_adj
-r--r--r-- 1 root root 0 Aug 26 06:35 pagemap
-r--r--r-- 1 root root 0 Aug 26 06:35 personality
-rw-r--r-- 1 root root 0 Aug 26 06:35 projid_map
lrwxrwxrwx 1 root root 0 Aug 26 06:35 root -> /
-r--r--r-- 1 root root 0 Aug 26 06:35 smaps
-r--r--r-- 1 root root 0 Aug 26 06:35 stack
-r--r--r-- 1 root root 0 Aug 26 06:35 stat
-r--r--r-- 1 root root 0 Aug 26 06:35 statm
-r--r--r-- 1 root root 0 Aug 26 06:35 status
-r--r--r-- 1 root root 0 Aug 26 06:35 syscall
dr-xr-xr-x 3 tst users 0 Aug 26 06:35 task
-rw-r--r-- 1 root root 0 Aug 26 06:35 uid_map
-r--r--r-- 1 root root 0 Aug 26 06:35 wchan
For what? Say,
-r--r--r-- 1 root root 0 Aug 26 06:35 status
but it is S_IRUGO anyway, why do we need to change the owner?
dr-x------ 2 root root 0 Aug 26 06:35 fd
OK, this means that I can't access this dir from another process.
Not sure we really want this in this case but
$ ./ls /proc/self/fd
0 1 2 3
still works, I guess thanks to proc_fd_permission().
However, say,
-r-------- 1 root root 0 Aug 26 06:35 mountstats
actually becomes unreadable even via /proc/self/.
Imho, this all is confusing. Perhaps it makes sense to "chmod", say,
/proc/pid/maps if !task_dumpable(), but "chown" looks strange.
Oleg.
next prev parent reply other threads:[~2013-08-26 15:33 UTC|newest]
Thread overview: 68+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-08-21 19:14 [PATCH v2] vfs: Tighten up linkat(..., AT_EMPTY_PATH) Andy Lutomirski
[not found] ` <CA+55aFxi-ps2f2M8xPhfbuQ0pToqupPrDsLi2+GPUK2sqdYfUw@mail.gmail.com>
[not found] ` <CALCETrW7+LcexA6v6RQDKhni_yJAduOmiSDneCpq3v8sPDvwUQ@mail.gmail.com>
2013-08-21 20:16 ` Willy Tarreau
2013-08-22 18:48 ` Linus Torvalds
2013-08-22 18:53 ` Willy Tarreau
2013-08-22 19:05 ` Andy Lutomirski
2013-08-22 19:23 ` Linus Torvalds
2013-08-22 20:10 ` Andy Lutomirski
2013-08-22 20:15 ` Willy Tarreau
2013-08-22 20:22 ` Andy Lutomirski
2013-08-22 20:44 ` Linus Torvalds
2013-08-22 20:48 ` Andy Lutomirski
2013-08-22 20:54 ` Linus Torvalds
2013-08-22 20:58 ` Andy Lutomirski
2013-08-23 1:07 ` Al Viro
2013-08-25 3:37 ` Al Viro
2013-08-25 7:26 ` Andy Lutomirski
2013-08-25 14:23 ` Al Viro
2013-08-25 17:04 ` Andy Lutomirski
2013-08-25 19:57 ` Linus Torvalds
2013-08-25 20:06 ` Al Viro
2013-08-25 20:23 ` Linus Torvalds
2013-08-26 17:37 ` Linus Torvalds
2013-08-26 18:07 ` Linus Torvalds
2013-08-26 18:11 ` Andy Lutomirski
2013-08-27 19:16 ` [RFC PATCH] fs: Add user_file_or_path_at and use it for truncate Andy Lutomirski
2013-08-27 19:32 ` Linus Torvalds
2013-08-27 20:28 ` Andy Lutomirski
2013-08-28 6:16 ` Al Viro
2013-08-28 16:24 ` Linus Torvalds
2013-08-28 19:04 ` Andy Lutomirski
2013-08-28 19:59 ` Al Viro
2013-08-28 21:07 ` Andy Lutomirski
2013-08-27 23:08 ` Al Viro
2013-08-27 23:13 ` Andy Lutomirski
2013-08-24 18:29 ` /proc/pid/fd && anon_inode_fops Oleg Nesterov
2013-08-24 21:24 ` Willy Tarreau
2013-08-25 5:23 ` Al Viro
2013-08-25 6:50 ` Willy Tarreau
2013-08-25 18:51 ` Linus Torvalds
2013-08-25 19:48 ` Oleg Nesterov
2013-08-25 20:05 ` Linus Torvalds
2013-08-26 15:33 ` Oleg Nesterov [this message]
2013-08-26 16:37 ` Oleg Nesterov
2013-08-26 17:54 ` [PATCH] proc: make proc_fd_permission() thread-friendly Oleg Nesterov
2013-08-26 18:09 ` Linus Torvalds
2013-08-26 19:35 ` Linus Torvalds
2013-08-26 20:20 ` Willy Tarreau
2013-08-27 15:05 ` Oleg Nesterov
2013-08-27 14:39 ` [PATCH 0/1] proc: make /proc/self point to thread Oleg Nesterov
2013-08-27 14:40 ` [PATCH 1/1] " Oleg Nesterov
2013-08-27 16:39 ` Linus Torvalds
2013-08-27 17:49 ` Oleg Nesterov
2013-08-27 18:15 ` Linus Torvalds
2013-08-27 18:28 ` Oleg Nesterov
[not found] ` <CALCETrXP-mYBPRon=0NzexW1FK1Qxz2+Bwv7-WeHBQpvW7ywRg@mail.gmail.com>
2013-08-27 15:45 ` [PATCH] proc: make proc_fd_permission() thread-friendly Oleg Nesterov
2013-08-26 18:32 ` Eric W. Biederman
2013-08-26 18:46 ` Oleg Nesterov
2013-08-26 18:56 ` Oleg Nesterov
2013-08-26 19:10 ` Eric W. Biederman
2013-08-27 14:53 ` Oleg Nesterov
2013-08-25 18:32 ` /proc/pid/fd && anon_inode_fops Linus Torvalds
2013-08-25 19:11 ` Al Viro
2013-08-25 19:17 ` Andy Lutomirski
2013-09-03 15:58 ` Pavel Machek
2013-08-25 15:45 ` Oleg Nesterov
[not found] ` <20130825051044.GY27005@ZenIV.linux.org.uk>
[not found] ` <20130825155348.GB25922@redhat.com>
[not found] ` <CALCETrXrtP2C+g=QeNWK4EMctmonW91kWoO1xmy7rDmEj__1Dw@mail.gmail.com>
[not found] ` <20130825174936.GA30957@redhat.com>
2013-08-25 17:55 ` [PATCH 0/1] anon_inodefs: forbid open via /proc Oleg Nesterov
2013-08-25 17:55 ` [PATCH 1/1] " Oleg Nesterov
2013-08-22 19:39 ` [PATCH v2] vfs: Tighten up linkat(..., AT_EMPTY_PATH) Willy Tarreau
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130826153301.GA15890@redhat.com \
--to=oleg@redhat.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=mingo@kernel.org \
--cc=security@kernel.org \
--cc=spender@grsecurity.net \
--cc=torvalds@linux-foundation.org \
--cc=viro@zeniv.linux.org.uk \
--cc=w@1wt.eu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.