From: Richard Weinberger <richard@nod.at>
To: "Mickaël Salaün" <mic@digikod.net>, linux-kernel@vger.kernel.org
Cc: Jeff Dike <jdike@addtoit.com>,
Tristan Schmelcher <tschmelcher@google.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
user-mode-linux-devel@lists.sourceforge.net,
user-mode-linux-user@lists.sourceforge.net
Subject: Re: [PATCH 1/2] um: Set secure access mode for temporary file
Date: Sun, 29 Nov 2015 00:11:39 +0100 [thread overview]
Message-ID: <565A34AB.5010303@nod.at> (raw)
In-Reply-To: <565A3228.5080908@digikod.net>
Am 29.11.2015 um 00:00 schrieb Mickaël Salaün:
>
>
> On 28/11/2015 23:55, Richard Weinberger wrote:
>> Am 28.11.2015 um 23:52 schrieb Mickaël Salaün:
>>>
>>> On 28/11/2015 22:40, Richard Weinberger wrote:
>>>> Am 28.11.2015 um 22:32 schrieb Mickaël Salaün:
>>>>> Replace the default insecure mode 0777 with 0700 for temporary file.
>>>>>
>>>>> Prohibit other users to change the executable mapped code.
>>>>
>>>> Hmm, isn't the tmp file already unlinked at this stage?
>>>>
>>>
>>> Yes, but if someone could open it before the unlink e.g. because of the umask (which does not seems to be the case thanks to mkstemp, but remains unspecified [1]), this user should then be able to have write access to the file descriptor/description.
>>
>> Yes, someone can open it before the unlink. But you change the file mode after that.
>> How does it improve the situation? The attacker has already the file handle.
>
> The attacker could have the file handle only in a read-only mode, which is a bit different than being able to write and execute arbitrary code thanks to a file descriptor mapped RWX :)
Fair point. Please describe this in detail in the patch changelog. :-)
Thanks,
//richard
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
WARNING: multiple messages have this Message-ID (diff)
From: Richard Weinberger <richard@nod.at>
To: "Mickaël Salaün" <mic@digikod.net>, linux-kernel@vger.kernel.org
Cc: Jeff Dike <jdike@addtoit.com>,
Tristan Schmelcher <tschmelcher@google.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
user-mode-linux-devel@lists.sourceforge.net,
user-mode-linux-user@lists.sourceforge.net
Subject: Re: [PATCH 1/2] um: Set secure access mode for temporary file
Date: Sun, 29 Nov 2015 00:11:39 +0100 [thread overview]
Message-ID: <565A34AB.5010303@nod.at> (raw)
In-Reply-To: <565A3228.5080908@digikod.net>
Am 29.11.2015 um 00:00 schrieb Mickaël Salaün:
>
>
> On 28/11/2015 23:55, Richard Weinberger wrote:
>> Am 28.11.2015 um 23:52 schrieb Mickaël Salaün:
>>>
>>> On 28/11/2015 22:40, Richard Weinberger wrote:
>>>> Am 28.11.2015 um 22:32 schrieb Mickaël Salaün:
>>>>> Replace the default insecure mode 0777 with 0700 for temporary file.
>>>>>
>>>>> Prohibit other users to change the executable mapped code.
>>>>
>>>> Hmm, isn't the tmp file already unlinked at this stage?
>>>>
>>>
>>> Yes, but if someone could open it before the unlink e.g. because of the umask (which does not seems to be the case thanks to mkstemp, but remains unspecified [1]), this user should then be able to have write access to the file descriptor/description.
>>
>> Yes, someone can open it before the unlink. But you change the file mode after that.
>> How does it improve the situation? The attacker has already the file handle.
>
> The attacker could have the file handle only in a read-only mode, which is a bit different than being able to write and execute arbitrary code thanks to a file descriptor mapped RWX :)
Fair point. Please describe this in detail in the patch changelog. :-)
Thanks,
//richard
next prev parent reply other threads:[~2015-11-28 23:11 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-11-28 21:32 [PATCH 0/2] um: Protect memory mapped file Mickaël Salaün
2015-11-28 21:32 ` Mickaël Salaün
2015-11-28 21:32 ` [PATCH 1/2] um: Set secure access mode for temporary file Mickaël Salaün
2015-11-28 21:32 ` Mickaël Salaün
2015-11-28 21:40 ` [uml-devel] " Richard Weinberger
2015-11-28 21:40 ` Richard Weinberger
2015-11-28 22:52 ` Mickaël Salaün
2015-11-28 22:55 ` Richard Weinberger
2015-11-28 22:55 ` Richard Weinberger
2015-11-28 23:00 ` Mickaël Salaün
2015-11-28 23:11 ` Richard Weinberger [this message]
2015-11-28 23:11 ` Richard Weinberger
2015-11-28 21:32 ` [PATCH 2/2] um: Use race-free temporary file creation Mickaël Salaün
2015-11-28 21:32 ` Mickaël Salaün
2015-11-28 22:07 ` [uml-devel] " Richard Weinberger
2015-11-28 22:07 ` Richard Weinberger
2015-11-28 22:56 ` Mickaël Salaün
2015-11-28 22:59 ` Richard Weinberger
2015-11-28 22:59 ` Richard Weinberger
2015-11-28 23:02 ` Mickaël Salaün
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=565A34AB.5010303@nod.at \
--to=richard@nod.at \
--cc=gregkh@linuxfoundation.org \
--cc=jdike@addtoit.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mic@digikod.net \
--cc=tschmelcher@google.com \
--cc=user-mode-linux-devel@lists.sourceforge.net \
--cc=user-mode-linux-user@lists.sourceforge.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.