From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754467AbdKIVkl (ORCPT ); Thu, 9 Nov 2017 16:40:41 -0500 Received: from out03.mta.xmission.com ([166.70.13.233]:38876 "EHLO out03.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752952AbdKIVkj (ORCPT ); Thu, 9 Nov 2017 16:40:39 -0500 From: ebiederm@xmission.com (Eric W. Biederman) To: Aleksa Sarai Cc: "James E.J. Bottomley" , "Martin K. Petersen" , linux-scsi@vger.kernel.org, linux-kernel@vger.kernel.org, containers@lists.linux-foundation.org, Valentin Rothberg , cyphar@cyphar.com, stable@vger.kernel.org, References: <20171105025635.10843-1-asarai@suse.de> Date: Thu, 09 Nov 2017 15:40:18 -0600 In-Reply-To: (Aleksa Sarai's message of "Sun, 5 Nov 2017 15:02:10 +1100") Message-ID: <87inejdtbx.fsf@xmission.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-XM-SPF: eid=1eCuYp-0001bK-U4;;;mid=<87inejdtbx.fsf@xmission.com>;;;hst=in02.mta.xmission.com;;;ip=174.19.78.123;;;frm=ebiederm@xmission.com;;;spf=neutral X-XM-AID: U2FsdGVkX18SZBL6rIi5yeWLU45g5mzqUib7CA/F+Cs= X-SA-Exim-Connect-IP: 174.19.78.123 X-SA-Exim-Mail-From: ebiederm@xmission.com X-Spam-Report: * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP * 0.0 TVD_RCVD_IP Message was received from an IP address * 0.7 XMSubLong Long Subject * 0.0 T_TM2_M_HEADER_IN_MSG BODY: No description available. * 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60% * [score: 0.4987] * -0.0 DCC_CHECK_NEGATIVE Not listed in DCC * [sa07 1397; Body=1 Fuz1=1 Fuz2=1] X-Spam-DCC: XMission; sa07 1397; Body=1 Fuz1=1 Fuz2=1 X-Spam-Combo: ;Aleksa Sarai X-Spam-Relay-Country: X-Spam-Timing: total 5300 ms - load_scoreonly_sql: 0.04 (0.0%), signal_user_changed: 2.8 (0.1%), b_tie_ro: 1.94 (0.0%), parse: 0.79 (0.0%), extract_message_metadata: 11 (0.2%), get_uri_detail_list: 0.97 (0.0%), tests_pri_-1000: 6 (0.1%), tests_pri_-950: 1.23 (0.0%), tests_pri_-900: 1.05 (0.0%), tests_pri_-400: 19 (0.4%), check_bayes: 17 (0.3%), b_tokenize: 5 (0.1%), b_tok_get_all: 6 (0.1%), b_comp_prob: 1.94 (0.0%), b_tok_touch_all: 2.5 (0.0%), b_finish: 0.61 (0.0%), tests_pri_0: 317 (6.0%), check_dkim_signature: 0.56 (0.0%), check_dkim_adsp: 3.3 (0.1%), tests_pri_500: 4939 (93.2%), poll_dns_idle: 4934 (93.1%), rewrite_mail: 0.00 (0.0%) Subject: Re: [PATCH v3] scsi: require CAP_SYS_ADMIN to write to procfs interface X-Spam-Flag: No X-SA-Exim-Version: 4.2.1 (built Thu, 05 May 2016 13:38:54 -0600) X-SA-Exim-Scanned: Yes (on in02.mta.xmission.com) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Aleksa Sarai writes: > On 11/05/2017 01:56 PM, Aleksa Sarai wrote: >> Previously, the only capability effectively required to operate on the >> /proc/scsi interface was CAP_DAC_OVERRIDE (or for some other files, >> having an fsuid of GLOBAL_ROOT_UID was enough). This means that >> semi-privileged processes could interfere with core components of a >> system (such as causing a DoS by removing the underlying SCSI device of >> the host's / mount). > > An alternative to this patch would be to make the open(2) call fail, if you try > to open it write-only or read-write. Not sure which would be preferred (should > it be possible to pass /proc/scsi/scsi to a semi-privileged process to write > to?). Making open fail is very much the preferred solution. Testing for permission on write can be avoided by finding a suid root application whose error output acts like a suid cat. The best current practice for adding this kind of permission check is to add the check in open. For some older use cases where we made this mistake we had to maintian a check during write to avoid breaking userspace. But as this check is new there is no reason to add a check anywhere except in open. Eric