From: daw@mozart.cs.berkeley.edu (David Wagner)
To: linux-kernel@vger.kernel.org
Subject: Re: [PATCH] new syscall: flink
Date: 7 Apr 2003 02:29:58 GMT [thread overview]
Message-ID: <b6qnr6$s4h$1@abraham.cs.berkeley.edu> (raw)
In-Reply-To: b6qo2a$ecl$1@cesium.transmeta.com
H. Peter Anvin wrote:
>Alan Cox wrote:
>> Suppose I give you an O_RDONLY handle to a file which you then
>> flink and gain write access too ?
>
>This, I believe, is the real issue. However, we already have that
>problem:
No, I don't think we already have that problem. I think flink()
would introduce a new security hole not already present.
> rfd = open("testfile", O_RDONLY|O_CREAT, 0666);
> /* Now rfd is a read-only file descriptor */
>
> sprintf(filebuf, "/proc/self/fd/%d", rfd);
> wfd = open(filebuf, O_RDWR);
I don't think this is the same. With /proc/self/fd, I can't escalate
privileges on a read-only fd. You did the wrong test, because the user
already has write access to "testfile". Change the above to make rfd a
read-only file descriptor to a file that I don't have write permission to,
and you'll find that the test all of a sudden fails. (For instance, add
a chmod("testfile", 0444); between the two open()s, and see what happens.)
I think /proc/self/fd is doing the right thing. /proc/self/fd doesn't
seem to be a security hole, unless I'm missing something. I think flink()
would be a security risk, though. Or did I overlook something?
next prev parent reply other threads:[~2003-04-07 2:43 UTC|newest]
Thread overview: 51+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-04-06 19:05 [PATCH] new syscall: flink Dan Kegel
2003-04-06 19:07 ` Dan Kegel
2003-04-06 19:56 ` Oliver Neukum
2003-04-06 20:08 ` Malcolm Beattie
2003-04-06 20:33 ` Oliver Neukum
2003-04-06 21:12 ` Alan Cox
2003-04-07 2:33 ` H. Peter Anvin
2003-04-07 2:29 ` David Wagner [this message]
2003-04-07 9:09 ` Malcolm Beattie
2003-04-07 11:02 ` Olivier Galibert
2003-04-07 5:25 ` H. Peter Anvin
2003-04-07 6:43 ` David Wagner
2003-04-07 6:21 ` Vitaly
2003-04-07 16:17 ` Shaya Potter
-- strict thread matches above, loose matches on Subject: below --
2003-04-11 17:11 Clayton Weaver
2003-04-10 22:10 Clayton Weaver
2003-04-11 1:02 ` David Wagner
2003-04-10 0:31 Clayton Weaver
2003-04-08 13:06 Chuck Ebbert
2003-04-07 23:57 Chuck Ebbert
2003-04-07 16:50 Clayton Weaver
2003-04-07 17:11 ` Arjan van de Ven
2003-04-07 17:37 ` David Wagner
2003-04-07 18:43 ` Werner Almesberger
2003-04-08 5:06 ` Werner Almesberger
2003-04-07 20:35 ` H. Peter Anvin
2003-04-07 9:01 Clayton Weaver
[not found] <20030407102005.4c13ed7f.manushkinvv@desnol.ru>
[not found] ` <200304070709.h37792815083@mozart.cs.berkeley.edu>
2003-04-07 7:35 ` Vitaly
2003-04-07 14:57 ` H. Peter Anvin
2003-04-07 18:47 ` Wichert Akkerman
2003-04-07 20:05 ` Bill Rugolsky Jr.
2003-04-07 20:32 ` H. Peter Anvin
2003-04-07 2:56 Mark Grosberg
2003-04-07 3:39 ` H. Peter Anvin
2003-04-07 7:29 ` Miquel van Smoorenburg
2003-04-07 8:18 ` Olivier Galibert
2003-04-07 8:35 ` Jakub Jelinek
2003-04-07 9:11 ` Olivier Galibert
2003-04-07 11:13 ` Alan Cox
2003-04-07 12:31 ` Roman Zippel
2003-04-07 12:54 ` Andreas Schwab
2003-04-07 13:19 ` Roman Zippel
2003-04-07 20:55 ` Fredrik Tolf
2003-04-07 21:43 ` Ulrich Drepper
2003-04-07 22:17 ` Fredrik Tolf
2003-04-07 22:25 ` Ulrich Drepper
2003-04-07 22:55 ` Fredrik Tolf
2003-04-06 18:39 Ulrich Drepper
2003-04-07 17:35 ` Linus Torvalds
2003-04-07 20:37 ` H. Peter Anvin
2003-04-08 0:23 ` Ulrich Drepper
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='b6qnr6$s4h$1@abraham.cs.berkeley.edu' \
--to=daw@mozart.cs.berkeley.edu \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.