Re: [PATCH] POSIX message queues

From: Amos Waterland (apw@us.ibm.com)
Date: Sat Aug 31 2002 - 20:50:25 EST

Next message: Alex Riesen: "2.4.20-pre1-ac1: Filesystem panic attempting to mount ext3"
Previous message: Miles Lane: "Re: 2.5.33 -- make[1]: *** [char] Segmentation fault (core dumped) -- SOLVED"
Next in thread: Ingo Molnar: "Re: [PATCH] POSIX message queues"
Reply: Ingo Molnar: "Re: [PATCH] POSIX message queues"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sat, Aug 31, 2002 at 01:43:56PM +0200, pwaechtler@mac.com wrote:
> Am Freitag den, 30. August 2002, um 11:48, schrieb Amos Waterland:
>
> > On Thu, Aug 29, 2002 at 11:53:50PM +0200, pwaechtler@mac.com wrote:
> >> some comments as asked for:
> >>
> >> I know that it's nowhere stated, but POSIX mqueues are perfectly
> >> designed to be implemented in userspace with locking facilities
> >> provided by the system.
> >
> > I am not sure if this is correct. You can achieve proper locking in
> > userspace, but I do not think you achieve proper security.
>
> Well, I can't think of efficient inter process locks without
> kernel/scheduler help.
> Do you want to use a spinlock, with lowering priority or even sleep, use
> a pipe/fifo/flock or waiting in sigsuspend? This all is implemented in
> kernel space.
> How would you implement entirely userspace locking?
> With futexes (fast "userspace" locks) only the uncontented case is
> handled
> in userspace - if there's contention the process waits inside the
> kernel - or
> does get a notification from the kernel (AWAIT or FD)

I think we are agreeing: POSIX mqueues are not perfectly designed to be
implemented in userspace.

> > I assume you are proposing an implementation based on shared memory:
> > which means that at least some pages of the shared memory must be
> > writable. If the processes cooperate and only write to the shared pages
> > through library routines which use sychronization, things are ok, but a
> > malicious process could forge messages or perform DOS attacks etc. by
> > bypassing the mq_*() functions and using write().
>
> yes, of course that could be compromised by a process with the same uid.
> This process could simply kill the other process too.
> The shm_open() employs proper file system permission on the object.

No, it is more complicated than that. They can be compromised by an
arbitrary process if the permissions on the mq include S_IWOTH.

That is the fundamental problem with a userspace shared memory
implementation: write permissions on a message queue should grant
mq_send(), but write permissions on shared memory grant a lot more than
just that.

Amos Waterland
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Alex Riesen: "2.4.20-pre1-ac1: Filesystem panic attempting to mount ext3"
Previous message: Miles Lane: "Re: 2.5.33 -- make[1]: *** [char] Segmentation fault (core dumped) -- SOLVED"
Next in thread: Ingo Molnar: "Re: [PATCH] POSIX message queues"
Reply: Ingo Molnar: "Re: [PATCH] POSIX message queues"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b29 : Sat Sep 07 2002 - 22:00:13 EST