From: Xiao Yang <yangx.jy@cn.fujitsu.com>
To: ltp@lists.linux.it
Subject: [LTP] [PATCH] read_all: Drop privileges
Date: Wed, 16 May 2018 17:39:01 +0800 [thread overview]
Message-ID: <5AFBFC35.3060400@cn.fujitsu.com> (raw)
In-Reply-To: <87bmdhyyrf.fsf@rpws.prws.suse.cz>
Hi Richard,
If the permission of /dev/watchdog was 0600(default permission on RHEL7), we could not read /dev/watchdog
as nobody user and returned EACCES as expected.
If the permission of /dev/watchdog was 0660(default permission on RHEL6), Reading /dev/watchdog as nobody
user failed, but still led to system reboot.
I think reading /dev/watchdog as nobody user should get EACCES even if the permission is 0660, but i am not
sure whether this is a watchdog bug in kernel or not.
Thanks,
Xiao Yang
On 2018/05/15 18:55, Richard Palethorpe wrote:
> Hello,
>
> Cyril Hrubis writes:
>
>> Hi!
>>> +static void maybe_drop_privs(void)
>>> +{
>>> + struct passwd *nobody;
>>> +
>>> + if (!drop_privs)
>>> + return;
>>> +
>>> + nobody = SAFE_GETPWNAM("nobody");
>>> +
>>> + TEST(setgid(nobody->pw_gid));
>>> + if (TEST_RETURN< 0&& TEST_ERRNO != EPERM)
>>> + tst_res(TBROK | TTERRNO, "Failed to use nobody gid");
>> ^
>> Shouldn't this be tst_brk()?
>>
>>> + TEST(setuid(nobody->pw_uid));
>>> + if (TEST_RETURN< 0&& TEST_ERRNO != EPERM)
>>> + tst_res(TBROK | TTERRNO, "Failed to use nobody uid");
>> ^
>> And here as well?
>>
>> Otherwise it looks fine.
> Well spotted, yes it should.
>
next prev parent reply other threads:[~2018-05-16 9:39 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-05-15 9:51 [LTP] [PATCH] read_all: Drop privileges Richard Palethorpe
2018-05-15 10:30 ` Cyril Hrubis
2018-05-15 10:55 ` Richard Palethorpe
2018-05-15 10:57 ` Cyril Hrubis
2018-05-15 11:18 ` Punit Agrawal
2018-05-15 12:34 ` Richard Palethorpe
2018-05-15 11:23 ` Punit Agrawal
2018-05-16 9:39 ` Xiao Yang [this message]
2018-05-16 11:44 ` Cyril Hrubis
2018-05-17 10:20 ` Xiao Yang
2018-05-18 17:09 ` Cyril Hrubis
2018-05-19 9:04 ` Xiao Yang
2018-05-19 9:22 ` [LTP] [PATCH] fs/read_all: Clear suplementary groups before droping privileges Xiao Yang
2018-05-22 10:26 ` Richard Palethorpe
2018-05-22 10:56 ` Cyril Hrubis
2018-05-22 10:54 ` Cyril Hrubis
2018-05-15 11:00 ` [LTP] [PATCH v2] read_all: Drop privileges Richard Palethorpe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5AFBFC35.3060400@cn.fujitsu.com \
--to=yangx.jy@cn.fujitsu.com \
--cc=ltp@lists.linux.it \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox