From: "Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com>
To: Andy Lutomirski <luto@amacapital.net>,
"Eric W. Biederman" <ebiederm@xmission.com>
Cc: mtk.manpages@gmail.com, "Jorge Boncompte [DTI2]" <jorge@dti2.net>,
Jiri Benc <jbenc@redhat.com>, David Miller <davem@davemloft.net>,
Vivek Goyal <vgoyal@redhat.com>, Simo Sorce <ssorce@redhat.com>,
"security@kernel.org" <security@kernel.org>,
Network Development <netdev@vger.kernel.org>,
"Serge E. Hallyn" <serge@hallyn.com>,
Linus Torvalds <torvalds@linux-foundation.org>
Subject: Re: [RFC][PATCH] netlink: Only check file credentials for implicit destinations
Date: Mon, 26 May 2014 10:38:43 +0200 [thread overview]
Message-ID: <5382FD93.8090106@gmail.com> (raw)
In-Reply-To: <CALCETrVezgCY61wSO_5kTJz-tX5HdYwbEPpS-HAy8bg7KEqibA@mail.gmail.com>
On 05/25/2014 06:50 PM, Andy Lutomirski wrote:
> On Sat, May 24, 2014 at 10:38 PM, Eric W. Biederman
> <ebiederm@xmission.com> wrote:
>>
>> It was possible to get a setuid root or setcap executable to write to
>> it's stdout or stderr (which has been set made a netlink socket) and
>> inadvertently reconfigure the networking stack.
>>
>> To prevent this we check that both the creator of the socket and
>> the currentl applications has permission to reconfigure the network
>> stack.
>>
>> Unfortunately this breaks Zebra which always uses sendto/sendmsg
>> and creates it's socket without any privileges.
>>
>> To keep Zebra working don't bother checking if the creator of the
>> socket has privilege when a destination address is specified. Instead
>> rely exclusively on the privileges of the sender of the socket.
>>
>
> Cute.
>
>> + NETLINK_SKB_DST = 0x8, /* Packet not socket destination */
>
> How about "sendto/sendmsg with explicit destination"
>
> Whatever we settle on, I think this'll need to end up in the man
> pages. Cc: Michael Kerrisk. I hereby volunteer to write something
> up.
>
> Michael, for background: Pre-linux-3.15, sending netlink messages to
> the kernel checked the credentials of the sender. This is a security
> bug: the sender might be a setuid-root program with stdout or stderr
> redirected to a netlink socket (or an SCM_RIGHTS user, etc).
Andy, thanks for putting your hand-up, and thanks especially
for paragraph of background. (Too often, I get CCed into a thread
with the implication that something needs to be fixed in man-pages
without any explanation of what or why.)
Cheers,
Michael
> The proposal in this patch is that doing privileged things using a
> netlink socket will require the sender to have capabilities and
> (either sendto/sendmsg with an explicit destination or a connected
> socket that was created by a privileged user).
>
> This is still not great from a security POV: if you can get a hold of
> a privileged socket (i.e. a socket created with CAP_NET_ADMIN
> available), then you can connect it and try to attack the kernel.
> This issue would go away if we hooked netlink_connect. I can try
> writing up that version of the patch tomorrow.
>
> --Andy
>
--
Michael Kerrisk
Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
Linux/UNIX System Programming Training: http://man7.org/training/
next prev parent reply other threads:[~2014-05-26 8:38 UTC|newest]
Thread overview: 45+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CALCETrUaYhh6Dkzn0TMEUz-GEO9-6ObByk5d_xRViSMBbp5Pkg@mail.gmail.com>
[not found] ` <cover.1397840611.git.luto@amacapital.net>
[not found] ` <6daf425e2023266d52d181e4d2ee18747d4f1fa8.1397840611.git.luto@amacapital.net>
[not found] ` <87tx9nuxf6.fsf@x220.int.ebiederm.org>
[not found] ` <CALCETrUqNVRBse4rUeUKfgYt0d+9x1JrEHGcZ_DnWyq7W6Yyzw@mail.gmail.com>
[not found] ` <87r44qtabz.fsf@x220.int.ebiederm.org>
[not found] ` <CALCETrWzUQ7QjykT85ExDfX-+9eDD-D-dcxofUMPvLK=ia9arg@mail.gmail.com>
[not found] ` <87r44qrt8v.fsf_-_@x220.int.ebiederm.org>
2014-04-22 21:13 ` [PATCH 0/6]: Preventing abuse when passing file descriptors Eric W. Biederman
2014-04-22 21:14 ` [PATCH 1/6] netlink: Rename netlink_capable netlink_allowed Eric W. Biederman
2014-04-22 21:15 ` [PATCH 2/6] net: Move the permission check in sock_diag_put_filterinfo to packet_diag_dump Eric W. Biederman
2014-04-22 21:15 ` [PATCH 3/6] net: Fix ns_capable check in packet_diag_dump Eric W. Biederman
2014-04-22 21:16 ` [PATCH 4/6] net: Add variants of capable for use on on sockets Eric W. Biederman
2014-04-22 21:16 ` [PATCH 5/6] net: Add variants of capable for use on netlink messages Eric W. Biederman
2014-04-22 21:17 ` [PATCH 6/6] net: Use netlink_ns_capable to verify the permisions of " Eric W. Biederman
2014-04-23 19:32 ` [PATCH 0/6]: Preventing abuse when passing file descriptors David Miller
2014-04-23 21:24 ` [PATCH 0/5]: " Eric W. Biederman
2014-04-23 21:25 ` [PATCH 1/5] netlink: Rename netlink_capable netlink_allowed Eric W. Biederman
2014-04-23 21:26 ` [PATCH 2/5] net: Move the permission check in sock_diag_put_filterinfo to packet_diag_dump Eric W. Biederman
2014-04-23 21:26 ` [PATCH 3/5] net: Add variants of capable for use on on sockets Eric W. Biederman
2014-04-23 21:28 ` [PATCH 4/5] net: Add variants of capable for use on netlink messages Eric W. Biederman
2014-04-23 21:29 ` [PATCH 5/5] net: Use netlink_ns_capable to verify the permisions of " Eric W. Biederman
2014-05-07 22:18 ` Jorge Boncompte [DTI2]
2014-05-07 22:26 ` Andy Lutomirski
2014-05-07 22:52 ` David Miller
2014-05-07 23:01 ` Andy Lutomirski
2014-05-07 23:34 ` Linus Torvalds
2014-05-07 23:45 ` Andy Lutomirski
2014-05-22 15:05 ` Jiri Benc
2014-05-23 23:25 ` Eric W. Biederman
2014-05-23 23:51 ` Linus Torvalds
2014-05-24 22:34 ` David Miller
2014-05-25 5:38 ` [RFC][PATCH] netlink: Only check file credentials for implicit destinations Eric W. Biederman
2014-05-25 16:50 ` Andy Lutomirski
2014-05-25 23:44 ` Eric W. Biederman
2014-05-26 0:32 ` Linus Torvalds
2014-05-26 5:36 ` [RFC][PATCH 2/1] netlink: Use the credential at the time the destination address was set Eric W. Biederman
2014-05-26 17:19 ` Andy Lutomirski
2014-05-27 4:24 ` Eric W. Biederman
2014-05-26 13:39 ` [RFC][PATCH] netlink: Only check file credentials for implicit destinations Willy Tarreau
2014-05-26 8:38 ` Michael Kerrisk (man-pages) [this message]
2014-05-25 5:45 ` [PATCH 5/5] net: Use netlink_ns_capable to verify the permisions of netlink messages Eric W. Biederman
2014-05-25 16:27 ` Andy Lutomirski
2014-05-08 21:29 ` Stephen Hemminger
2014-05-08 21:32 ` Andy Lutomirski
[not found] ` <CA+55aFzOHZcw2o6Cq6rSddSBDZvhgzYToBruak9SLCHxx-fA3Q@mail.gmail.com>
2014-05-08 21:49 ` Andy Lutomirski
2014-05-08 22:07 ` Stephen Hemminger
2014-05-08 21:54 ` David Miller
2014-05-07 23:45 ` David Miller
2014-05-08 21:21 ` Stephen Hemminger
2014-05-08 21:52 ` David Miller
2014-05-08 21:54 ` Andy Lutomirski
2014-04-24 17:45 ` [PATCH 0/5]: Preventing abuse when passing file descriptors David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5382FD93.8090106@gmail.com \
--to=mtk.manpages@gmail.com \
--cc=davem@davemloft.net \
--cc=ebiederm@xmission.com \
--cc=jbenc@redhat.com \
--cc=jorge@dti2.net \
--cc=luto@amacapital.net \
--cc=netdev@vger.kernel.org \
--cc=security@kernel.org \
--cc=serge@hallyn.com \
--cc=ssorce@redhat.com \
--cc=torvalds@linux-foundation.org \
--cc=vgoyal@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).