From: ebiederm@xmission.com (Eric W. Biederman)
To: Andrew Morton <akpm@osdl.org>
Cc: Mike Galbraith <efault@gmx.de>,
Nick Piggin <nickpiggin@yahoo.com.au>,
laurent.riffard@free.fr, jesper.juhl@gmail.com,
linux-kernel@vger.kernel.org, rjw@sisk.pl, mbligh@mbligh.org,
clameter@engr.sgi.com, Paul Jackson <pj@sgi.com>,
Herbert Poetzl <herbert@13thfloor.at>
Subject: Re: 2.6.16-rc5-mm1
Date: Wed, 01 Mar 2006 13:43:53 -0700 [thread overview]
Message-ID: <m1wtfdnbee.fsf@ebiederm.dsl.xmission.com> (raw)
In-Reply-To: <20060301121218.68fb3f76.akpm@osdl.org> (Andrew Morton's message of "Wed, 1 Mar 2006 12:12:18 -0800")
Andrew Morton <akpm@osdl.org> writes:
> Mike Galbraith <efault@gmx.de> wrote:
>>
>> On Wed, 2006-03-01 at 15:50 +0100, Laurent Riffard wrote:
>> >
>> >
>
> OK, thanks guys. Eric, could you please cook up something to make the
> permissions appear-to-work as expected?
I'm thinking about it. Implementing it is easy. Figuring out what the
check for the /proc/<pid>/fd/<#> files should be is trickier.
What disturbs me is that by my current reading of the code all of the
cool file descriptor passing of unix domain sockets is unnecessary.
You can just walk up to any process and open any file it has open.
This includes sockets and pipes and the like, as well as files.
We don't bypass individual file permission checks as far as I can
tell but we do bypass all directory permission checks.
This seems to defeat the concept of using file descriptors as
capabilities. Heck even plan9 makes you bind your file descriptor
to your filesystem namespace before it was exported.
In the presence of chroot jails and multiple namespaces this is also
possible.
Now maybe this is all fine, and since this is what we have been doing
for years maybe it isn't a security bug, and I can just kill the
check altogether.
My gut says this is an ancient permission checking bug, and I have
started closing the hole.
So if anyone can help me wrap my head around what is expected and why.
I would greatly appreciate it.
The fuser and lsof cases seem to one aspect of it, that I had
not looked at.
Eric
next prev parent reply other threads:[~2006-03-01 20:46 UTC|newest]
Thread overview: 74+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-02-28 12:24 2.6.16-rc5-mm1 Andrew Morton
2006-02-28 14:41 ` 2.6.16-rc5-mm1 Cornelia Huck
2006-02-28 14:55 ` 2.6.16-rc5-mm1 Martin Schwidefsky
2006-02-28 15:08 ` 2.6.16-rc5-mm1 gsmith
2006-02-28 15:01 ` 2.6.16-rc5-mm1 Michal Piotrowski
2006-02-28 16:20 ` 2.6.16-rc5-mm1 Michal Piotrowski
2006-03-01 2:16 ` 2.6.16-rc5-mm1 Nick Piggin
2006-03-01 2:44 ` 2.6.16-rc5-mm1 Andrew Morton
2006-03-01 3:10 ` 2.6.16-rc5-mm1 Nick Piggin
2006-03-01 3:21 ` 2.6.16-rc5-mm1 Andrew Morton
2006-03-01 3:30 ` 2.6.16-rc5-mm1 Nick Piggin
2006-03-01 3:42 ` 2.6.16-rc5-mm1 Andrew Morton
2006-02-28 19:40 ` usb usb5: Manufacturer: Linux 2.6.16-rc5-mm1 ehci_hcd Alexey Dobriyan
2006-02-28 20:48 ` [linux-usb-devel] " Alan Stern
2006-02-28 20:48 ` 2.6.16-rc5-mm1 Mattia Dongili
2006-02-28 23:49 ` 2.6.16-rc5-mm1 Alessandro Zummo
2006-02-28 21:13 ` 2.6.16-rc5-mm1 Jesper Juhl
2006-02-28 22:27 ` 2.6.16-rc5-mm1 Jiri Slaby
2006-02-28 22:30 ` 2.6.16-rc5-mm1 Jesper Juhl
2006-02-28 23:18 ` 2.6.16-rc5-mm1 Laurent Riffard
2006-02-28 23:57 ` 2.6.16-rc5-mm1 Jesper Juhl
2006-03-01 0:21 ` 2.6.16-rc5-mm1 Andrew Morton
2006-03-01 0:33 ` 2.6.16-rc5-mm1 Jesper Juhl
2006-03-01 3:05 ` 2.6.16-rc5-mm1 Paul Jackson
2006-03-01 3:20 ` 2.6.16-rc5-mm1 Paul Jackson
2006-03-01 4:15 ` 2.6.16-rc5-mm1 Eric W. Biederman
2006-03-01 4:26 ` 2.6.16-rc5-mm1 Paul Jackson
2006-03-01 4:57 ` 2.6.16-rc5-mm1 Eric W. Biederman
2006-03-01 10:06 ` 2.6.16-rc5-mm1 Laurent Riffard
2006-03-01 10:32 ` 2.6.16-rc5-mm1 Andrew Morton
2006-03-01 11:25 ` 2.6.16-rc5-mm1 Andrew Morton
2006-03-01 18:14 ` 2.6.16-rc5-mm1 Ashok Raj
2006-03-01 18:48 ` 2.6.16-rc5-mm1 Andrew Morton
2006-03-01 19:31 ` 2.6.16-rc5-mm1 Ashok Raj
2006-03-01 13:58 ` 2.6.16-rc5-mm1 Mike Galbraith
2006-03-01 14:50 ` 2.6.16-rc5-mm1 Laurent Riffard
2006-03-01 15:33 ` 2.6.16-rc5-mm1 Mike Galbraith
2006-03-01 20:12 ` 2.6.16-rc5-mm1 Andrew Morton
2006-03-01 20:19 ` 2.6.16-rc5-mm1 Andrew Morton
2006-03-01 20:35 ` 2.6.16-rc5-mm1 Peter Staubach
2006-03-01 20:43 ` Eric W. Biederman [this message]
2006-03-02 4:52 ` 2.6.16-rc5-mm1 Nick Piggin
2006-03-02 16:37 ` [PATCH] proc: Use sane permission checks on the /proc/<pid>/fd/ symlinks Eric W. Biederman
2006-03-03 8:49 ` Andrew Morton
2006-03-03 12:00 ` Eric W. Biederman
2006-03-01 14:22 ` 2.6.16-rc5-mm1 J.A. Magallon
2006-03-02 4:51 ` 2.6.16-rc5-mm1 Andrew Morton
2006-03-02 21:11 ` 2.6.16-rc5-mm1 J.A. Magallon
2006-03-02 22:31 ` 2.6.16-rc5-mm1 Andrew Morton
2006-03-02 3:10 ` 2.6.16-rc5-mm1 Paul Jackson
2006-03-01 10:35 ` 2.6.16-rc5-mm1 Laurent Riffard
2006-03-01 10:47 ` 2.6.16-rc5-mm1 Andrew Morton
2006-03-02 1:41 ` 2.6.16-rc5-mm1 Jesper Juhl
2006-03-02 20:16 ` 2.6.16-rc5-mm1 Jesper Juhl
2006-03-02 22:34 ` 2.6.16-rc5-mm1 Eric W. Biederman
2006-03-06 0:05 ` 2.6.16-rc5-mm1 Jesper Juhl
2006-02-28 23:15 ` 2.6.16-rc5-mm1 Andrew Morton
2006-02-28 23:33 ` 2.6.16-rc5-mm1 Jesper Juhl
2006-02-28 22:34 ` 2.6.16-rc5-mm1 Rafael J. Wysocki
2006-02-28 23:48 ` 2.6.16-rc5-mm1 Andrew Morton
2006-03-01 0:52 ` 2.6.16-rc5-mm1 Eric W. Biederman
2006-03-01 11:42 ` 2.6.16-rc5-mm1 Rafael J. Wysocki
2006-02-28 23:56 ` 2.6.16-rc5-mm1 Martin Bligh
2006-03-01 16:45 ` [PATCH] Fix powerpc bad_page_fault output (Re: 2.6.16-rc5-mm1) Olof Johansson
2006-03-02 0:09 ` Paul E. McKenney
2006-03-02 0:35 ` Paul Mackerras
2006-03-02 1:14 ` Martin Bligh
2006-03-02 2:22 ` Olof Johansson
2006-03-02 5:24 ` Anton Blanchard
2006-03-02 5:16 ` Paul Mackerras
2006-03-02 10:27 ` 2.6.16-rc5-mm1 -- strange load balancing problems Peter Williams
2006-03-02 22:23 ` Peter Williams
2006-03-13 4:46 ` Peter Williams
2006-03-03 15:32 ` 2.6.16-rc5-mm1: USB compile errors Adrian Bunk
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=m1wtfdnbee.fsf@ebiederm.dsl.xmission.com \
--to=ebiederm@xmission.com \
--cc=akpm@osdl.org \
--cc=clameter@engr.sgi.com \
--cc=efault@gmx.de \
--cc=herbert@13thfloor.at \
--cc=jesper.juhl@gmail.com \
--cc=laurent.riffard@free.fr \
--cc=linux-kernel@vger.kernel.org \
--cc=mbligh@mbligh.org \
--cc=nickpiggin@yahoo.com.au \
--cc=pj@sgi.com \
--cc=rjw@sisk.pl \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox