From: James Bottomley <James.Bottomley-l3A5Bk7waGM@public.gmane.org>
To: Vasiliy Kulikov <segoon-cxoSlKxDwOJWk0Htik3J/w@public.gmane.org>
Cc: Greg KH <greg-U8xfFu+wG4EAvxtiuMwx3w@public.gmane.org>,
security-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org,
acpi4asus-user-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org,
linux-scsi-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
rtc-linux-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org,
linux-usb-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
platform-driver-x86-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
open-iscsi-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org,
linux-omap-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
linux-arm-kernel-IAPFreCvJWM7uuMidbF8XUB+6BGkLq7r@public.gmane.org,
linux-media-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
Subject: Re: [Security] [PATCH 00/20] world-writable files in sysfs and debugfs
Date: Tue, 15 Mar 2011 12:32:31 -0400 [thread overview]
Message-ID: <1300206751.11313.3.camel@mulgrave.site> (raw)
In-Reply-To: <20110315160804.GA3380@albatros>
On Tue, 2011-03-15 at 19:08 +0300, Vasiliy Kulikov wrote:
> On Tue, Mar 15, 2011 at 07:50 -0400, James Bottomley wrote:
> > 1. Did anyone actually check for capabilities before assuming world
> > writeable files were wrong?
>
> I didn't check all these files as I haven't got these hardware :-)
You don't need the hardware to check ... the question becomes is a
capabilities test sitting in the implementation or not.
> But
> as I can "chmod a+w" all sysfs files on my machine and they all become
> sensible to nonroot writes, I suppose there is nothing preventing
> nonroot users from writing to these buggy sysfs files. As you can see,
> there are no capable() checks in these drivers in open() or write().
>
> > 2. Even if there aren't any capabilities checks in the implementing
> > routines, should there be (are we going the separated
> > capabilities route vs the monolithic root route)?
>
> IMO, In any case old good DAC security model must not be obsoleted just
> because someone thinks that MAC or anything else is more convenient for
> him. If sysfs is implemented via filesystem then it must support POSIX
> permissions semantic. MAC is very good in _some_ cases, but not instead
> of DAC.
Um, I'm not sure that's even an issue. capabilities have CAP_ADMIN
which is precisely the same check as owner == root. We use this a lot
because ioctls ignore the standard unix DAC model.
James
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
prev parent reply other threads:[~2011-03-15 16:32 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-02-04 12:22 [PATCH 00/20] world-writable files in sysfs and debugfs Vasiliy Kulikov
2011-02-04 12:24 ` [PATCH 18/20] scsi: aic94xx: world-writable sysfs update_bios file Vasiliy Kulikov
2011-02-04 12:24 ` [PATCH 19/20] scsi: iscsi: world-writable sysfs priv_sess file Vasiliy Kulikov
[not found] ` <1ca8a99eaadde79e662573d89e4f17a20457fba0.1296818921.git.segoon-cxoSlKxDwOJWk0Htik3J/w@public.gmane.org>
2011-03-13 8:28 ` Mike Christie
2011-02-04 13:11 ` [rtc-linux] [PATCH 00/20] world-writable files in sysfs and debugfs Linus Walleij
2011-03-12 20:23 ` Vasiliy Kulikov
[not found] ` <AANLkTikE-A=Fe-yRrN0opWwJGQ0f4uOzkyB3XCcEUrFE@mail.gmail.com>
2011-03-14 22:18 ` [Security] " Andrew Morton
2011-03-15 2:26 ` James Bottomley
2011-03-15 3:09 ` [Security] " Greg KH
2011-03-15 11:50 ` James Bottomley
2011-03-15 14:18 ` Greg KH
2011-03-15 14:25 ` James Bottomley
2011-03-15 16:08 ` Vasiliy Kulikov
2011-03-15 16:32 ` James Bottomley [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1300206751.11313.3.camel@mulgrave.site \
--to=james.bottomley-l3a5bk7wagm@public.gmane.org \
--cc=acpi4asus-user-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org \
--cc=greg-U8xfFu+wG4EAvxtiuMwx3w@public.gmane.org \
--cc=linux-arm-kernel-IAPFreCvJWM7uuMidbF8XUB+6BGkLq7r@public.gmane.org \
--cc=linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-media-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-omap-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-scsi-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-usb-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=open-iscsi-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org \
--cc=platform-driver-x86-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=rtc-linux-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org \
--cc=security-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org \
--cc=segoon-cxoSlKxDwOJWk0Htik3J/w@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).