Re: [PATCH 2/2] debugfs: only allow root access to debugging interfaces

[Greg KH <gregkh@suse.de>]

On Thu, Feb 24, 2011 at 04:22:14PM -0800, Kees Cook wrote:
> Hi Greg,
> 
> On Tue, Feb 22, 2011 at 12:54:13PM -0800, Kees Cook wrote:
> > On Tue, Feb 22, 2011 at 12:37:04PM -0800, Greg KH wrote:
> > > On Tue, Feb 22, 2011 at 12:28:56PM -0800, Kees Cook wrote:
> > > > On Tue, Feb 22, 2011 at 12:16:10PM -0800, Greg KH wrote:
> > > > > On Tue, Feb 22, 2011 at 11:50:18AM -0800, Kees Cook wrote:
> > > > > > On Tue, Feb 22, 2011 at 07:34:18PM +0000, Alan Cox wrote:
> > > > > > > > What system do you proposed to keep these "stupid mistakes" from
> > > > > > > > continuing to happen? If debugfs had already been mode 0700, we could have
> > > > > > > > avoided all of these CVEs, including the full-blown local root escalation.
> > > > > > > 
> > > > > > > And all sorts of features would have put themselves in sysfs instead and
> > > > > > > broken no doubt.
> > > > > > > 
> > > > > > > > The "no rules" approach to debugfs is not a good idea, IMO.
> > > > > > > 
> > > > > > > It's a debugging fs, it needs to be "no rules" other than the obvious
> > > > > > > "don't mount it on production systems"
> > > > > > 
> > > > > > Okay, so the debugfs is not supposed to be mounted on a production system.
> > > > > 
> > > > > No, not true at all, the "enterprise" distros all mount debugfs for good
> > > > > reason on their systems.
> > > > 
> > > > What reasons are those? Or better yet, why do you and Alan Cox disagree on
> > > > this point?
> > > 
> > > These distros have made the decision to support the perf interface,
> > > which lives in debugfs, for their customers.  I'm not saying that I
> > > disagree with Alan about this, just pointing out the reality of the
> > > situation here.
> > 
> > A tool used only by the root user, so the proposed mount mode of 0700
> > wouldn't break anything.
> 
> The summary is this:
>  - debugfs has been demonstrably dangerous to have available

Wait, I do not believe this statement at all.

It's like saying "sysfs and proc are demonstrably dangerous to have
available" because there were some bugs with some implementations of
sysfs and proc files in the past.

>  - Alan Cox says that debugfs should not be used on production systems
>  - Greg KH does not disagree

I also don't agree, as my day-job entails supporting a wide range of
production systems with this filesystem mounted and enabled.

>  - however, pref needs it, and this is used by some root users
>  - perf will likely move out of debugfs as some point
> 
> What is the objection, then, to making the root of debugfs mode 0600? All
> the tools I reviewed that need it run as root (e.g. powertop). I've
> already written, tested, and sent the patches -- they would not break
> the requirements above.

There are a wide range of other files that can be safely read as a
normal user in debugfs.  For example, the usb debugging files which we
use to help debug hardware controller issues.  Now yes, we could ask the
user to become root first, but is that really necessary?

Again, I feel these were just a few bugs that do not reflect the much
larger and benificial use of this filesystem.  We now have a set of
checks in place to prevent this type of error from occuring again, why
not rely on that instead of just removing the whole filesystem from
normal users entirely?

thanks,

greg k-h