From: Vasiliy Kulikov <segooon@gmail.com>
To: Al Viro <viro@ZenIV.linux.org.uk>
Cc: kernel-janitors@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: check capabilities in open()
Date: Sun, 25 Jul 2010 05:45:11 +0000 [thread overview]
Message-ID: <20100725054511.GB9018@albatros> (raw)
In-Reply-To: <20100724182355.GA9134@ZenIV.linux.org.uk>
On Sat, Jul 24, 2010 at 19:23 +0100, Al Viro wrote:
> On Sat, Jul 24, 2010 at 08:07:01PM +0400, Vasiliy Kulikov wrote:
> > Hi,
> >
> > I've found that some drivers check process capabilities via capable() in
> > open(), not in ioctl()/write()/etc.
> >
> > I cannot find answer in POSIX, but IMO process expects that file
> > descriptors of priviledged user and file descriptors of the same
> > file/device are the same in priviledge aspect. Driver should deny/allow
> > open() and deny/allow ioctl() based on user priviledges. The path how
> > the process gained this fd doesn't matter.
> >
> > So I think these 2 examples should be equal:
> >
> > 1) root process opened the file and then dropped its priviledges
> >
> > 2) nonroot process opened the file
>
> They most certainly should _not_. Consider the following mechanism:
> process A authenticates itself to process B
> B is convinced to open a file that wouldn't be readable for A.
> B passes descriptor to A.
> A reads from it.
> You are breaking that.
No, I mean that if driver allowed process to open the file, gained fd
should be the same. I say that if process A has _opened_ file, its fd should be the same
that convinced from B.
In your example and current implementation process A allowed to open
file, but it is not the same if B opens file and passes fd to A.
Example from drivers/char/apm-emulation.c:
static int apm_open(struct inode * inode, struct file * filp)
{
...
as->suser = capable(CAP_SYS_ADMIN);
...
}
apm_ioctl(struct file *filp, u_int cmd, u_long arg)
{
...
if (!as->suser || !as->writer)
return -EPERM;
...
}
Root can open apm file (as->suser would be true), pass it to
unpriviledged process and it would be able to suspend the system
(as->suser would be still true).
Unpriviledged process can also open apm file (as->suser would be 0), but
would not be able to suspend the system.
Also patalogical case :) unpriviledged process passes fd to root process
and root process cannot suspend the system.
Btw, the list of such drivers is much smaller, some of them just return
-EPERM and open() fails, it is OK. I'll resend more precise list soon.
next prev parent reply other threads:[~2010-07-25 5:45 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-07-24 16:07 check capabilities in open() Vasiliy Kulikov
2010-07-24 18:23 ` Al Viro
2010-07-25 5:45 ` Vasiliy Kulikov [this message]
2010-07-25 9:23 ` Vasiliy Kulikov
2010-07-26 11:23 ` Ted Ts'o
2010-07-26 16:52 ` Vasiliy Kulikov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20100725054511.GB9018@albatros \
--to=segooon@gmail.com \
--cc=kernel-janitors@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=viro@ZenIV.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox