From: Andrew Lutomirski <luto@mit.edu>
To: Alan Cox <alan@lxorguk.ukuu.org.uk>
Cc: Miklos Szeredi <miklos@szeredi.hu>,
akpm@linux-foundation.org, linux-fsdevel@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH v3] vfs: new O_NODE open flag
Date: Mon, 7 Dec 2009 10:03:33 -0500 [thread overview]
Message-ID: <cb0375e10912070703j4e5769c7tec6090378248a187@mail.gmail.com> (raw)
In-Reply-To: <20091207141321.0964461d@lxorguk.ukuu.org.uk>
On Mon, Dec 7, 2009 at 9:13 AM, Alan Cox <alan@lxorguk.ukuu.org.uk> wrote:
>> > That is *exactly* the problem, which is clearly what you are missing here.
>>
>> I don't think so, but maybe I'm wrong. Could you describe your attack
>> scenario in detail then, please?
>
> First obvious attack: get an O_NODE handle to a device you have assigned
> to your ownership
>
> while(1)
> fchmod(fd, 0666);
>
> wait for device to unload, reload and be intended for another user
> Race udev to a real open. You have a similar problem with vhangup() and
> ttys.
Huh? I would've thought that udev would (and already does?), on
device unload, chown to 0:0, then chmod to 0000, then unlink, in which
case that attack doesn't work.
If you mean that someone could have an O_NODE handle open, then the
device unregisters, then, before udev has a chance to do anything at
all, a new device w/ the same major/minor numbers appears, then the
O_NODE handle owner upgrades to a real fd, then we have worse worries:
the attacker could just open the device node on disk without O_NODE,
hard links, or any other funny tricks. revoke() wouldn't fix that
either.
I'll admit that O_NODE scares me a bit from a security perspective,
but so do hard links and /proc/self/fd in general, and I'm not really
convinced that there are any new attacks here.
Would you be okay with a patch that prevented opening
/proc/self/fd/xxx on O_NODE handles? I personally don't care about
O_NODE all that much, but I'd like a decent in-kernel AFS
implementation (and a decent revoke() implementation, and especially
the ability to revoke whole filesystems would be really nice too).
--Andy
>
> This cannot happen with the existing kernel because there cannot be an
> open handle when the original device unload occurs[1] and it cannot happen
> with vhangup because the hangup is basically a special case revoke()
> implementation for tty devices.
>
> O_NODE changes the whole lifetime semantics for inodes. It's not
> something you can do casually. pioctl() gets this right although for the
> same reason as path based chmod/chown/etc all get it right, O_NODE breaks
> it all horribly.
>
> Alan
> [1] If you think about it a wait for no references is the same barrier as
> a revoke but a blocking one.
>
--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2009-12-07 15:03 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-12-02 16:16 [PATCH v3] vfs: new O_NODE open flag Miklos Szeredi
2009-12-02 19:15 ` Alan Cox
2009-12-02 20:13 ` Miklos Szeredi
2009-12-02 20:48 ` Alan Cox
2009-12-03 5:46 ` Miklos Szeredi
2009-12-05 14:42 ` Andy Lutomirski
2009-12-05 19:40 ` Miklos Szeredi
2009-12-05 20:28 ` Alan Cox
2009-12-05 20:35 ` Miklos Szeredi
2009-12-05 23:13 ` Alan Cox
2009-12-07 6:08 ` Miklos Szeredi
2009-12-07 12:23 ` Alan Cox
2009-12-07 12:41 ` Miklos Szeredi
2009-12-07 12:47 ` Miklos Szeredi
2009-12-07 13:03 ` Alan Cox
2009-12-07 13:08 ` Miklos Szeredi
2009-12-07 13:15 ` Alan Cox
2009-12-07 13:16 ` Miklos Szeredi
2009-12-07 14:13 ` Alan Cox
2009-12-07 14:25 ` Miklos Szeredi
2009-12-07 14:46 ` Alan Cox
2009-12-07 15:11 ` Miklos Szeredi
2009-12-07 17:40 ` Alan Cox
2009-12-07 15:03 ` Andrew Lutomirski [this message]
2009-12-07 15:50 ` Miklos Szeredi
2009-12-07 17:16 ` Alan Cox
2009-12-10 7:39 ` Pavel Machek
2009-12-06 8:46 ` Pavel Machek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=cb0375e10912070703j4e5769c7tec6090378248a187@mail.gmail.com \
--to=luto@mit.edu \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=miklos@szeredi.hu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).