From: daw@mozart.cs.berkeley.edu (David Wagner)
To: linux-kernel@vger.kernel.org
Subject: Re: [PATCH] new syscall: flink
Date: 7 Apr 2003 02:29:58 GMT [thread overview]
Message-ID: <b6qnr6$s4h$1@abraham.cs.berkeley.edu> (raw)
In-Reply-To: b6qo2a$ecl$1@cesium.transmeta.com
H. Peter Anvin wrote:
>Alan Cox wrote:
>> Suppose I give you an O_RDONLY handle to a file which you then
>> flink and gain write access too ?
>
>This, I believe, is the real issue. However, we already have that
>problem:
No, I don't think we already have that problem. I think flink()
would introduce a new security hole not already present.
> rfd = open("testfile", O_RDONLY|O_CREAT, 0666);
> /* Now rfd is a read-only file descriptor */
>
> sprintf(filebuf, "/proc/self/fd/%d", rfd);
> wfd = open(filebuf, O_RDWR);
I don't think this is the same. With /proc/self/fd, I can't escalate
privileges on a read-only fd. You did the wrong test, because the user
already has write access to "testfile". Change the above to make rfd a
read-only file descriptor to a file that I don't have write permission to,
and you'll find that the test all of a sudden fails. (For instance, add
a chmod("testfile", 0444); between the two open()s, and see what happens.)
I think /proc/self/fd is doing the right thing. /proc/self/fd doesn't
seem to be a security hole, unless I'm missing something. I think flink()
would be a security risk, though. Or did I overlook something?
next prev parent reply other threads:[~2003-04-07 2:43 UTC|newest]
Thread overview: 51+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-04-06 19:05 [PATCH] new syscall: flink Dan Kegel
2003-04-06 19:07 ` Dan Kegel
2003-04-06 19:56 ` Oliver Neukum
2003-04-06 20:08 ` Malcolm Beattie
2003-04-06 20:33 ` Oliver Neukum
2003-04-06 21:12 ` Alan Cox
2003-04-07 2:33 ` H. Peter Anvin
2003-04-07 2:29 ` David Wagner [this message]
2003-04-07 9:09 ` Malcolm Beattie
2003-04-07 11:02 ` Olivier Galibert
2003-04-07 5:25 ` H. Peter Anvin
2003-04-07 6:43 ` David Wagner
2003-04-07 6:21 ` Vitaly
2003-04-07 16:17 ` Shaya Potter
-- strict thread matches above, loose matches on Subject: below --
2003-04-11 17:11 Clayton Weaver
2003-04-10 22:10 Clayton Weaver
2003-04-11 1:02 ` David Wagner
2003-04-10 0:31 Clayton Weaver
2003-04-08 13:06 Chuck Ebbert
2003-04-07 23:57 Chuck Ebbert
2003-04-07 16:50 Clayton Weaver
2003-04-07 17:11 ` Arjan van de Ven
2003-04-07 17:37 ` David Wagner
2003-04-07 18:43 ` Werner Almesberger
2003-04-08 5:06 ` Werner Almesberger
2003-04-07 20:35 ` H. Peter Anvin
2003-04-07 9:01 Clayton Weaver
[not found] <20030407102005.4c13ed7f.manushkinvv@desnol.ru>
[not found] ` <200304070709.h37792815083@mozart.cs.berkeley.edu>
2003-04-07 7:35 ` Vitaly
2003-04-07 14:57 ` H. Peter Anvin
2003-04-07 18:47 ` Wichert Akkerman
2003-04-07 20:05 ` Bill Rugolsky Jr.
2003-04-07 20:32 ` H. Peter Anvin
2003-04-07 2:56 Mark Grosberg
2003-04-07 3:39 ` H. Peter Anvin
2003-04-07 7:29 ` Miquel van Smoorenburg
2003-04-07 8:18 ` Olivier Galibert
2003-04-07 8:35 ` Jakub Jelinek
2003-04-07 9:11 ` Olivier Galibert
2003-04-07 11:13 ` Alan Cox
2003-04-07 12:31 ` Roman Zippel
2003-04-07 12:54 ` Andreas Schwab
2003-04-07 13:19 ` Roman Zippel
2003-04-07 20:55 ` Fredrik Tolf
2003-04-07 21:43 ` Ulrich Drepper
2003-04-07 22:17 ` Fredrik Tolf
2003-04-07 22:25 ` Ulrich Drepper
2003-04-07 22:55 ` Fredrik Tolf
2003-04-06 18:39 Ulrich Drepper
2003-04-07 17:35 ` Linus Torvalds
2003-04-07 20:37 ` H. Peter Anvin
2003-04-08 0:23 ` Ulrich Drepper
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='b6qnr6$s4h$1@abraham.cs.berkeley.edu' \
--to=daw@mozart.cs.berkeley.edu \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox