Re: [PATCH v2 resend] vfs: new O_NODE open flag

From: Alan Cox
Date: Thu Nov 05 2009 - 09:50:13 EST

On Thu, 05 Nov 2009 15:27:06 +0100
Miklos Szeredi <miklos@xxxxxxxxxx> wrote:

> On Thu, 5 Nov 2009, Alan Cox wrote:
> > > - re-opening normally after checking file type (there's a debate
> > > whether this would have security issues, but currently we do allow
> > > re-opening with increased permissions thorugh /proc/*/fd)
> >
> > Which has already been demonstrated to be an (unfixed) security hole.
> No it hasn't :) Jamie theorized that there *might* be a real world
> situation where the application writer didn't anticipate this
> behavior. But as to actual demonstration, we have not seen one yet, I
> think.

The examples on the list are not entirely theoretical but based on
accepted and normal behaviour for application programming and Unix
security models -so they are a security bug, minor or otherwise.

Fortunately you can patch it by hand.

> And as for reopening O_NODE files with increased permission: that's
> feature people actually expressed interest in, so it's hardly a
> security hole, is it?

Its a very unexpected semantic particularly for a passed file handle.

> > Wrong way around. The defailt should be that O_NODE fails for any handle
> > which has not specifically added support.
> Why? O_NODE can be nicely implemented without any filesystem support.

So that you audit the behaviour for unexpected surprises as you go. And
in most filesystem cases that consists of "dum de dum, nothing to see,
add default handler, tick".

But that isn't the case for some things - consider CIFS and other network
file systems.

> The only filesystems that need to do anything special is things like
> AFS which for example want to implement special ioctls, which work on
> the node itself.
> > You also need to address the open with no permissions pinning a removable
> > device question.
> The whole point of O_NODE is that it doesn't do that, it only goes as
> far as the mnt/dentry for the filesystem node and not further. It
> does not get to touch the device at all, so it can't pin it or have
> any other side effect.

You have a reference to the mnt/dentry pinned so how will you unmount the
volume ?

To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at
Please read the FAQ at