From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752784AbbK1XLo (ORCPT ); Sat, 28 Nov 2015 18:11:44 -0500 Received: from a.ns.miles-group.at ([95.130.255.143]:11949 "EHLO radon.swed.at" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751161AbbK1XLm (ORCPT ); Sat, 28 Nov 2015 18:11:42 -0500 Subject: Re: [PATCH 1/2] um: Set secure access mode for temporary file To: =?UTF-8?Q?Micka=c3=abl_Sala=c3=bcn?= , linux-kernel@vger.kernel.org References: <1448746350-19998-1-git-send-email-mic@digikod.net> <1448746350-19998-2-git-send-email-mic@digikod.net> <565A1F49.3040408@nod.at> <565A3035.6030104@digikod.net> <565A30DB.1070902@nod.at> <565A3228.5080908@digikod.net> Cc: Jeff Dike , Tristan Schmelcher , Greg Kroah-Hartman , user-mode-linux-devel@lists.sourceforge.net, user-mode-linux-user@lists.sourceforge.net From: Richard Weinberger Message-ID: <565A34AB.5010303@nod.at> Date: Sun, 29 Nov 2015 00:11:39 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.4.0 MIME-Version: 1.0 In-Reply-To: <565A3228.5080908@digikod.net> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Am 29.11.2015 um 00:00 schrieb Mickaël Salaün: > > > On 28/11/2015 23:55, Richard Weinberger wrote: >> Am 28.11.2015 um 23:52 schrieb Mickaël Salaün: >>> >>> On 28/11/2015 22:40, Richard Weinberger wrote: >>>> Am 28.11.2015 um 22:32 schrieb Mickaël Salaün: >>>>> Replace the default insecure mode 0777 with 0700 for temporary file. >>>>> >>>>> Prohibit other users to change the executable mapped code. >>>> >>>> Hmm, isn't the tmp file already unlinked at this stage? >>>> >>> >>> Yes, but if someone could open it before the unlink e.g. because of the umask (which does not seems to be the case thanks to mkstemp, but remains unspecified [1]), this user should then be able to have write access to the file descriptor/description. >> >> Yes, someone can open it before the unlink. But you change the file mode after that. >> How does it improve the situation? The attacker has already the file handle. > > The attacker could have the file handle only in a read-only mode, which is a bit different than being able to write and execute arbitrary code thanks to a file descriptor mapped RWX :) Fair point. Please describe this in detail in the patch changelog. :-) Thanks, //richard