Re: [5/8] syscall_cred() a system call that receives alternate CREDs

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Boaz Harrosh <bharrosh@panasas.com>
To: Jim Lieb <jlieb@panasas.com>
Cc: "J. Bruce Fields" <bfields@redhat.com>,
	Frank S Filz <ffilz@us.ibm.com>,
	Steven Whitehouse <swhiteho@redhat.com>,
	Steve Dickson <steved@redhat.com>,
	Jeff Layton <jlayton@redhat.com>,
	<lsf-pc@lists.linux-foundation.org>,
	linux-fsdevel <linux-fsdevel@vger.kernel.org>,
	Venkateswararao Jujjuri <jvrao@linux.vnet.ibm.com>,
	DENIEL Philippe <philippe.deniel@cea.fr>
Subject: Re: [5/8] syscall_cred() a system call that receives alternate CREDs
Date: Tue, 9 Apr 2013 00:33:32 +0300	[thread overview]
Message-ID: <516337AC.6030707@panasas.com> (raw)
In-Reply-To: <1522251.bVHhpLrEx2@jlieb-e6410>

On 08/04/13 22:45, Jim Lieb wrote:
> We are setting user, primary group, and alt groups in sequence before we do 
> the actual work (read/write/...).  This is a potential TOCTOU race.  Granted, 
> there is little/no real atomic guarantee but implied in the syscall model is 
> that creds don't change for the duration of a syscall.  We go back to 
> userspace multiple times with creds in intermediate state(s).  Signals can 
> happen anytime but are only checked on the way back out of the syscall or we 
> can hold them off at critical times within a single syscall.  Which syscall is 
> is the one where the signal occurred?  In our case, we minimally use signals 
> (do no i/o etc.) but they are still there.  If it is one syscall, we know.
> 

signals are crap long before our case. I would not really care about signals.
The performance argument is good enough for me.

> We currently have an RFC implementation of a "creds wrapper" but it is still 
> in flux and the codiing of all these calls to "get it right" is ugly.  One 
> call, done right would be much better.
> 
> We also have a problem with the setgroups.  We escape in Linux because the 
> kernel doesn't do it process wide and glibc fakes it.  I don't want to depend 
> on that.  In FreeBSD, we can't do it at all since the creds are shared at the 

Sachin found that FBSD might be exactly the same as Linux here. Please talk to
him to make sure?

> proc level.  Note that I am constrained to think about portability and it's 
> easier to sell a new syscall than to hack fundamental kernel structures which 
> is why the "do to all" bit is in glibc...
> 

But yes a new syscall with new defined semantics is definitely a better way
to go. Just for the sake of thread_setgroups such a call is well worth it.
Completely bypass POSIX and be done with it. So strongly yes here.

Bruce, got the point? Current code with the undocumented thread_setgroups is a
POSIX hack. And will break at any given moment in time. Only a new syscall with
defined semantics will ever be correct.

Thanks
Boaz

next prev parent reply	other threads:[~2013-04-08 21:34 UTC|newest]

Thread overview: 43+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-04-08 10:19 [LSF/MM TOPIC (expanded) 0/8] New API's for better exporting of VFS from user-mode daemons Boaz Harrosh
2013-04-08 10:22 ` [1/8] readdir-plus system call Boaz Harrosh
2013-04-08 10:26   ` Steven Whitehouse
2013-04-08 15:18     ` [Nfs-ganesha-devel] " Matt W. Benjamin
2013-04-08 13:51   ` DENIEL Philippe
2013-04-08 19:02   ` Abhijith Das
2013-04-10 20:31     ` Andreas Dilger
2013-05-24 16:14     ` [1/8] readdir-plus system call - LSF/MM follow up Abhijith Das
2013-05-24 19:41       ` Zach Brown
2013-05-28 14:49         ` Abhijith Das
2013-05-28 15:13           ` Jim Lieb
     [not found]             ` <OF27E1911F.3FBABA22-ON87257B79.005C087F-88257B79.005C320B@us.ibm.com>
2013-05-29  0:57               ` Jim Lieb
     [not found]                 ` <OF067A3B49.F63109B6-ON87257B7A.00137A60-88257B7A.00140BC7@us.ibm.com>
2013-05-29 10:06                   ` Jeff Layton
2013-05-29 14:04                     ` J. Bruce Fields
2013-06-04 15:38                       ` [Lsf-pc] " Christoph Hellwig
2013-06-04 15:52                         ` J. Bruce Fields
2013-05-29 16:52                   ` Re: Re: " Jim Lieb
2013-05-28 20:00           ` Andreas Dilger
2013-05-28 20:11             ` Abhijith Das
2013-04-08 10:25 ` [LSF/MM TOPIC (expanded) 0/8] New API's for better exporting of VFS from user-mode daemons Steven Whitehouse
2013-04-08 10:25 ` [2/8] Sane locks (UNPOSIX locks) Boaz Harrosh
2013-04-08 12:02   ` [Lsf-pc] " Jeff Layton
2013-04-08 10:28 ` [3/8] File delegations, Usermode API of Bruce's pending patches Boaz Harrosh
2013-04-08 10:32 ` [4/8] PNFS ioctls/syscall Boaz Harrosh
2013-04-08 10:36 ` [5/8] syscall_cred() a system call that receives alternate CREDs Boaz Harrosh
2013-04-08 13:54   ` DENIEL Philippe
2013-04-08 14:42   ` J. Bruce Fields
2013-04-08 14:58     ` Boaz Harrosh
2013-04-08 18:23     ` Jim Lieb
2013-04-08 18:31       ` J. Bruce Fields
2013-04-08 19:45         ` Jim Lieb
2013-04-08 21:33           ` Boaz Harrosh [this message]
2013-04-09 16:40             ` Jim Lieb
2013-04-08 10:42 ` [6/8] Rich ACLs (continued, drive through this time) Boaz Harrosh
2013-04-08 11:12   ` Vyacheslav Dubeyko
2013-04-08 14:27   ` Venkateswararao Jujjuri
2013-04-08 10:43 ` [7/8] Single call interface to getattr/setattr Boaz Harrosh
     [not found]   ` <OF4A1A78E0.CB4DED3E-ON87257B47.00549E35-88257B47.005520A8@us.ibm.com>
2013-04-08 16:41     ` Boaz Harrosh
2013-04-08 10:45 ` [8/8] Fix fsnotify short comings (single fd with recursive notifications) Boaz Harrosh
2013-04-08 13:59   ` DENIEL Philippe
2013-04-08 15:22     ` Al Viro
2013-04-08 15:36     ` J. Bruce Fields
2013-04-08 14:31 ` [LSF/MM TOPIC (expanded) 0/8] New API's for better exporting of VFS from user-mode daemons Venkateswararao Jujjuri

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=516337AC.6030707@panasas.com \
    --to=bharrosh@panasas.com \
    --cc=bfields@redhat.com \
    --cc=ffilz@us.ibm.com \
    --cc=jlayton@redhat.com \
    --cc=jlieb@panasas.com \
    --cc=jvrao@linux.vnet.ibm.com \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=lsf-pc@lists.linux-foundation.org \
    --cc=philippe.deniel@cea.fr \
    --cc=steved@redhat.com \
    --cc=swhiteho@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.