Re: Sharing credentials in general (Re: [GIT PULL] kdbus for 4.1-rc1)

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Djalal Harouni <tixxdz@opendz.org>
To: Andy Lutomirski <luto@amacapital.net>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	Andrew Morton <akpm@linux-foundation.org>,
	Arnd Bergmann <arnd@arndb.de>,
	"Eric W. Biederman" <ebiederm@xmission.com>,
	One Thousand Gnomes <gnomes@lxorguk.ukuu.org.uk>,
	Tom Gundersen <teg@jklm.no>, Jiri Kosina <jkosina@suse.cz>,
	"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
	Daniel Mack <daniel@zonque.org>,
	David Herrmann <dh.herrmann@gmail.com>
Subject: Re: Sharing credentials in general (Re: [GIT PULL] kdbus for 4.1-rc1)
Date: Mon, 27 Apr 2015 14:01:47 +0100	[thread overview]
Message-ID: <20150427130147.GA5315@dztty> (raw)
In-Reply-To: <CALCETrXXUiYKAhsXsdqH2uZMddDhK5hX6V9+rZcHwa1X5WC+1g@mail.gmail.com>

On Thu, Apr 23, 2015 at 12:41:18PM -0700, Andy Lutomirski wrote:
> On Thu, Apr 23, 2015 at 11:48 AM, Linus Torvalds
> <torvalds@linux-foundation.org> wrote:
> > On Thu, Apr 23, 2015 at 10:57 AM, Linus Torvalds
[...]
> Objection 2: There's a difference between the printer daemon knowing
> that Angry Penguins has general permission to print and an explicit
> assertion by Angry Penguins of its permission to print.  Suppose that
> printing is implemented by having Angry Penguins call the method Write
> on some kdbus thing.  Suppose further that changing root's password is
> implemented by having the caller call the method Write on some other
> kdbus thing.  Before changing the password, the password daemon makes
> sure that the caller (or the caller's kdbus conn or whatever) has
> password-changing permissions.  Before printing, the printer daemon
> makes sure that the caller has printing permissions.
> 
> In kdbus, this is IMO a big problem.  See, I can try to find some
> setuid root program that takes a printer object as input (however
> kdbus might do this -- presumably it would be an object name) and
> calls Write to print some diagnostic thing.  Now I just feed it the
> password-changing thingy as input and I can get it to "print" to the
> root password.  Oops.
This will not only introduce complexity, it is formulated for a
"supposed" problem, and even if this problem exists, the fix _should_
be simple, no reason to add the extra complexity.

A suid root program that takes objects from input without assuming that
the unprivileged user has provided this, is a bogus program and the fix
should be at this layer, _not_ introduce extra layers...

The same thing can be applied on every other part of the kernel, what if
a suid program takes some input, constructs objects/structs based on
that, and makes a direct syscall or one through a library into another
part of the kernel ? I don't see why it is a problem for kdbus since
this supposed problem can affect every major part of the kernel. If there
is something to fix here, then sure it is not at this level.

Thanks!

-- 
Djalal Harouni
http://opendz.org

next prev parent reply	other threads:[~2015-04-27 13:01 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-04-23 19:41 Sharing credentials in general (Re: [GIT PULL] kdbus for 4.1-rc1) Andy Lutomirski
2015-04-23 21:05 ` Linus Torvalds
2015-04-23 22:08   ` Andy Lutomirski
2015-04-27  8:17     ` David Herrmann
2015-04-27 14:57       ` One Thousand Gnomes
2015-04-27 15:50         ` David Herrmann
2015-04-27 16:13           ` Andy Lutomirski
2015-04-27 16:33             ` David Herrmann
2015-05-02  1:48               ` Andy Lutomirski
2015-05-03 19:43                 ` Havoc Pennington
2015-04-27 13:01 ` Djalal Harouni [this message]
  -- strict thread matches above, loose matches on Subject: below --
2015-04-27  5:38 George Spelvin

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20150427130147.GA5315@dztty \
    --to=tixxdz@opendz.org \
    --cc=akpm@linux-foundation.org \
    --cc=arnd@arndb.de \
    --cc=daniel@zonque.org \
    --cc=dh.herrmann@gmail.com \
    --cc=ebiederm@xmission.com \
    --cc=gnomes@lxorguk.ukuu.org.uk \
    --cc=gregkh@linuxfoundation.org \
    --cc=jkosina@suse.cz \
    --cc=linux-kernel@vger.kernel.org \
    --cc=luto@amacapital.net \
    --cc=teg@jklm.no \
    --cc=torvalds@linux-foundation.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox