Re: 2.6.16-rc5-mm1

[Eric W. Biederman]

Andrew Morton <akpm@xxxxxxxx> writes:

> Mike Galbraith <efault@xxxxxx> wrote:
>>
>> On Wed, 2006-03-01 at 15:50 +0100, Laurent Riffard wrote:
>> >  
>> > 
>
> OK, thanks guys.  Eric, could you please cook up something to make the
> permissions appear-to-work as expected?

I'm thinking about it. Implementing it is easy.  Figuring out what the
check for the /proc/<pid>/fd/<#> files should be is trickier.

What disturbs me is that by my current reading of the code all of the
cool file descriptor passing of unix domain sockets is unnecessary.
You can just walk up to any process and open any file it has open.

This includes sockets and pipes and the like, as well as files.

We don't bypass individual file permission checks as far as I can
tell but we do bypass all directory permission checks.

This seems to defeat the concept of using file descriptors as
capabilities.  Heck even plan9 makes you bind your file descriptor
to your filesystem namespace before it was exported.

In the presence of chroot jails and multiple namespaces this is also
possible.

Now maybe this is all fine, and since this is what we have been doing
for years maybe it isn't a security bug, and I can just kill the
check altogether.

My gut says this is an ancient permission checking bug, and I have
started closing the hole.

So if anyone can help me wrap my head around what is expected and why.
I would greatly appreciate it.

The fuser and lsof cases seem to one aspect of it, that I had
not looked at.

Eric
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/