From: Trond Myklebust <trond.myklebust@fys.uio.no>
To: Dave McCracken <dmccr@us.ibm.com>
Cc: Linux Kernel <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH 2.5.30+] Fourth attempt at a shared credentials patch
Date: Mon, 12 Aug 2002 22:08:46 +0200 [thread overview]
Message-ID: <15704.5582.889793.670322@charged.uio.no> (raw)
In-Reply-To: <71170000.1028926261@baldur.austin.ibm.com>
>>>>> " " == Dave McCracken <dmccr@us.ibm.com> writes:
> I think I mostly nailed the intermezzo case. I did go through
> it.
Are you sure? AFAICS, the intermezzo code assumes that ngroups/groups
won't change while you inside the intermezzo layer itself. Look at the
way they stuff current->ngroups into the record 'size', then do the
actual copy in journal_log_prefix()...
>> Finally, you also want all those reads and changes to more than
>> one value in the credential such as the stuff in
>> security/capability.c, or net/socket.c,... to be atomic. (Note:
>> This is where 'struct ucred' with COW gives you an efficiency
>> gain).
> I disagree. It won't generate bogus values of any of these
> fields. There may be some cases where it'll pick up a
> combination of before and after values, but I don't see where
> any of that is fatal.
It doesn't have to be fatal in order to be a security risk. The kernel
simply does not know whether or not formula A (random combination of
uid/gid/groups) will be secure as opposed to the before/after states.
>> Please also note that you only need spinlocking for the
>> particular case of tasks that have set CLONE_CRED. In all other
>> cases, it adds a rather nasty overhead...
> Spinlock isn't nasty overhead, if it's not contested. It seems
> to me that checking whether it's shared is as much overhead as
> just taking the lock.
spinlocking is designed so as to invalidate the processor caches.
Cheers,
Trond
next prev parent reply other threads:[~2002-08-12 20:05 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-08-08 14:58 [PATCH 2.5.30+] Second attempt at a shared credentials patch Dave McCracken
2002-08-08 15:32 ` Trond Myklebust
2002-08-08 16:20 ` Dave McCracken
2002-08-08 16:54 ` Trond Myklebust
2002-08-08 18:05 ` Dave McCracken
2002-08-08 19:56 ` Trond Myklebust
2002-08-08 20:11 ` Dave McCracken
2002-08-08 21:55 ` Trond Myklebust
2002-08-09 19:24 ` [PATCH 2.5.30+] Fourth " Dave McCracken
2002-08-09 19:51 ` Trond Myklebust
2002-08-09 20:51 ` Dave McCracken
2002-08-12 20:08 ` Trond Myklebust [this message]
2002-08-09 21:15 ` Linus Torvalds
2002-08-08 20:11 ` [PATCH 2.5.30+] Second " Trond Myklebust
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=15704.5582.889793.670322@charged.uio.no \
--to=trond.myklebust@fys.uio.no \
--cc=dmccr@us.ibm.com \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox