From: ebiederm@xmission.com (Eric W. Biederman)
To: Miklos Szeredi <miklos@szeredi.hu>
Cc: pavel@ucw.cz, alan@lxorguk.ukuu.org.uk,
akpm@linux-foundation.org, viro@ZenIV.linux.org.uk,
dhowells@redhat.com, hch@infradead.org, adilger@sun.com,
mtk.manpages@gmail.com, torvalds@linux-foundation.org,
drepper@gmail.com, jamie@shareable.org,
linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH v2 resend] vfs: new O_NODE open flag
Date: Sat, 07 Nov 2009 03:48:43 -0800 [thread overview]
Message-ID: <m1y6mipnc4.fsf@fess.ebiederm.org> (raw)
In-Reply-To: <E1N6jWB-0006gu-2u@pomaz-ex.szeredi.hu> (Miklos Szeredi's message of "Sat\, 07 Nov 2009 12\:31\:43 +0100")
Miklos Szeredi <miklos@szeredi.hu> writes:
> On Sat, 07 Nov 2009, ebiederm@xmission.com (Eric W. Biederman wrote:
>> Miklos Szeredi <miklos@szeredi.hu> writes:
>>
>> > On Fri, 06 Nov 2009, ebiederm@xmission.com (Eric W. Biederman wrote:
>> >> So far no one who believes this to be a security hole has found it
>> >> worth their while to look at nd->intent.open in proc_pid_follow_link
>> >> and write a patch.
>> >
>> > A rather disgusting patch that would be. The fact is, checking
>> > permissions on follow_link makes little to no sense. Consider
>> > truncate(2), for example. Will we add another intent for that? I
>> > really hope not
>>
>> No. I was just thinking we have the open intent that is there for
>> combining lookup and open. We can look test for LOOKUP_OPEN and do
>> exactly what we need.
>
> No, because you just covered half the cases. truncate(2) will still
> work fine on the /proc/PID/fd/FD belonging to a O_RDONLY file
> descriptor.
Good point as truncate is as bad as opening read-write. Shrug.
>> > I'm more and more convinced, that the current behavior is the right
>> > one.
>>
>> I think the 15 or so years we have had the current behavior without
>> problems is persuasive.
>>
>> I think it is an interesting puzzle on how to get dup instead of
>> reopen as there are cases where that could be useful behavior as well.
>
> Probably doable with ptrace().
>
>> The usefulness of an O_NONE flag increases significantly if you can
>> open the reference file later with more permissions. Essentially
>> making a hardlink into a running program. Hmm. Weird cases do seem
>> to show up when the last dir entry is removed.
>
> Why are they more weird than files opened without O_NODE?
Because as I recall O_NODE skips all permission checks. Which would
mean you can limit who holds a reference to your inode without O_NODE.
> The only really weird case Alan spotted is device nodes, where the
> actual device registered to a major/minor pair changes over time,
> possibly allowing a re-open to access a device it otherwise was not
> meant to. BTW if the device number reuse happens really quickly, this
> could even be a race for a plain open. Real solution might actually
> be in udev: when deregistering a device, change mode bits to all-zero
> before removing the device node.
Devices nodes specifically were the case I was thinking of.
Changing the mode bits to all-zero at the final unlink would be a lot
more reliable and certain in the kernel.
>> I wonder if we want a rule that you can't open a file with link count
>> of 0. Reasoning may get truly strange otherwise.
>
> Again, don't see why this would be different for O_NODE as for
> non-O_NODE files descriptors.
Eric
next prev parent reply other threads:[~2009-11-07 11:48 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-11-05 11:23 [PATCH v2 resend] vfs: new O_NODE open flag Miklos Szeredi
2009-11-05 13:15 ` Alan Cox
2009-11-05 14:27 ` Miklos Szeredi
2009-11-05 14:50 ` Alan Cox
2009-11-05 15:24 ` Miklos Szeredi
2009-11-05 15:56 ` Alan Cox
2009-11-05 16:52 ` Miklos Szeredi
2009-11-05 18:25 ` Alan Cox
2009-11-06 11:10 ` Miklos Szeredi
2009-11-06 1:40 ` Jamie Lokier
2009-11-06 11:31 ` Miklos Szeredi
2009-11-06 14:17 ` Pavel Machek
2009-11-06 20:55 ` Eric W. Biederman
2009-11-07 7:49 ` Miklos Szeredi
2009-11-07 11:09 ` Eric W. Biederman
2009-11-07 11:31 ` Miklos Szeredi
2009-11-07 11:48 ` Eric W. Biederman [this message]
2009-11-08 17:01 ` Pavel Machek
2009-11-16 11:50 ` Miklos Szeredi
2009-11-07 17:58 ` Pavel Machek
2009-11-09 8:58 ` Pavel Machek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=m1y6mipnc4.fsf@fess.ebiederm.org \
--to=ebiederm@xmission.com \
--cc=adilger@sun.com \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=dhowells@redhat.com \
--cc=drepper@gmail.com \
--cc=hch@infradead.org \
--cc=jamie@shareable.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=miklos@szeredi.hu \
--cc=mtk.manpages@gmail.com \
--cc=pavel@ucw.cz \
--cc=torvalds@linux-foundation.org \
--cc=viro@ZenIV.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.