From: Alan Cox <alan@www.pagan.org.uk>
To: Linus Torvalds <torvalds@osdl.org>
Cc: Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Subject: Re: SG_IO and security
Date: Thu, 12 Aug 2004 21:16:44 +0100 [thread overview]
Message-ID: <1092341803.22458.37.camel@localhost.localdomain> (raw)
In-Reply-To: <Pine.LNX.4.58.0408120943210.1839@ppc970.osdl.org>
On Iau, 2004-08-12 at 17:45, Linus Torvalds wrote:
> On Thu, 12 Aug 2004, Linus Torvalds wrote:
> >
> > Hmm.. This still allows the old "junk" commands (SCSI_IOCTL_SEND_COMMAND).
That uses sg_io() so gets caught as well unless I screwed up following
the code paths.
> Btw, I think the _right_ thing to check is the write access of the file
> descriptor. If you have write access to a block device, you can delete the
> data, so you might as well be able to do the raw commands. And that would
> allow things like "disk" groups etc to work and burn CD's.
With the current code I can destroy all your hard disks given read
access to the drive. With checks on writable I can destroy all your hard
disks/cdroms as appropriate with write access.
Destroy here means "dead, defunct, pushing up the daisies, go order
a new one kind of dead".
In essence the interface (and the SCSI/ATA/.. layers below) don't
seperate media and device. This also kicks in for partitioning since
write access to /dev/hda1 giving me SG_IO scsi access doesn't enforce
partitioning.
We end up needing some notion of what commands should be allowed to any
user and what commands should be allowed solely to superusers. That
leads to a second question for you which is one I had an argument about
Jens on.
Do we
a) Have code that essentially says "if read on base device can do ....,
if write can do ... , else capable(...)"
b) ioctls/other command functionality for the stuff users should be
allowed to do.
Option (a) means parsing command blocks which are pretty regular and
parseable.
Alan
next prev parent reply other threads:[~2004-08-12 21:23 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-08-12 12:17 SG_IO and security Alan Cox
2004-08-12 16:39 ` Linus Torvalds
2004-08-12 16:45 ` Linus Torvalds
2004-08-12 16:55 ` Jeff Garzik
2004-08-12 17:01 ` Jeff Garzik
2004-08-12 17:02 ` Linus Torvalds
2004-08-12 17:13 ` Jeff Garzik
2004-08-12 19:22 ` Kai Makisara
2004-08-13 19:25 ` Peter Jones
2004-08-13 19:37 ` Jeff Garzik
2004-08-14 7:22 ` Kai Makisara
2004-08-14 15:33 ` Alan Cox
2004-08-16 22:24 ` Bill Davidsen
2004-08-16 22:00 ` Bill Davidsen
2004-08-12 17:06 ` Arjan van de Ven
2004-08-12 17:35 ` Jens Axboe
2004-08-12 18:29 ` Jens Axboe
2004-08-12 18:37 ` Jeff Garzik
2004-08-12 18:43 ` Jens Axboe
2004-08-12 18:45 ` Christoph Hellwig
2004-08-12 18:48 ` Jens Axboe
2004-08-12 20:19 ` Alan Cox
2004-08-12 20:16 ` Alan Cox [this message]
2004-08-12 22:51 ` Eric Lammerts
2004-08-13 0:09 ` Linus Torvalds
2004-08-13 6:59 ` Jens Axboe
2004-08-13 7:22 ` viro
2004-08-13 7:43 ` Arjan van de Ven
2004-08-13 7:46 ` Jens Axboe
2004-08-13 19:18 ` Jeff Garzik
2004-08-13 19:37 ` Linus Torvalds
2004-08-13 19:44 ` Jeff Garzik
2004-08-13 19:49 ` Florian Weimer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1092341803.22458.37.camel@localhost.localdomain \
--to=alan@www.pagan.org.uk \
--cc=linux-kernel@vger.kernel.org \
--cc=torvalds@osdl.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox