From: Eric Biggers <ebiggers3@gmail.com>
To: keyrings@vger.kernel.org
Cc: David Howells <dhowells@redhat.com>,
linux-fscrypt@vger.kernel.org, "Theodore Y. Ts'o" <tytso@mit.edu>,
Jaegeuk Kim <jaegeuk@kernel.org>,
Richard Weinberger <richard@nod.at>,
Michael Halcrow <mhalcrow@google.com>
Subject: Re: Why does keyctl_invalidate() only require Search permission?
Date: Wed, 8 Mar 2017 14:18:00 -0800 [thread overview]
Message-ID: <20170308221800.GA90803@gmail.com> (raw)
In-Reply-To: <20170222011657.GC101993@gmail.com>
On Tue, Feb 21, 2017 at 05:16:57PM -0800, Eric Biggers wrote:
> Hi David (or anyone else experienced with Linux keyrings),
>
> I was surprised to discover that the keyctl_invalidate() operation, as added by
> commit fd75815f727f1 ("KEYS: Add invalidation support") only requires Search
> permission.
>
> AFAICS, this means that any process which has permission to find a key in
> searches can also "invalidate" it, which deletes it from all keyrings
> system-wide. This cannot even be forbidden by SELinux, which likewise is only
> asked for "Search" permission on the key.
>
> This is very problematic on systems that want to have a privileged process like
> 'init' set up a keyring, then give less privileged processes read-only access.
>
> What is the motivation behind only requiring Search permission, and how should
> this be fixed? Perhaps "invalidation" should require write access to all the
> keyrings the key is in, since it's similar to unlinking it from all of them? Or
> am I missing something about why it was designed the way it is?
>
> Thanks!
>
> Eric
>
David, do you have any comments on this? This seems to be a pretty serious flaw
because it makes it impossible to give processes read-only access to keys.
What would you say about solving this by making keyctl_invalidate() require both
Setattr and Search permission?
- Eric
prev parent reply other threads:[~2017-03-08 22:18 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-02-22 1:16 Why does keyctl_invalidate() only require Search permission? Eric Biggers
2017-03-08 22:18 ` Eric Biggers [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170308221800.GA90803@gmail.com \
--to=ebiggers3@gmail.com \
--cc=dhowells@redhat.com \
--cc=jaegeuk@kernel.org \
--cc=keyrings@vger.kernel.org \
--cc=linux-fscrypt@vger.kernel.org \
--cc=mhalcrow@google.com \
--cc=richard@nod.at \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox