PATCH: dropping the "/.anonymous-pipe*" scheme

Kevin Buhr (buhr@stat.wisc.edu)
27 Jun 1997 13:15:58 -0500

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Dong Chen: "Re: patch for apm_bios.c (kernel 2.0.30)"
Previous message: Jonathan Freeson: "XFree86 3.3 + CL GD5464 + 2.1.x"

--Multipart_Fri_Jun_27_13:15:57_1997-1
Content-Type: text/plain; charset=US-ASCII

Linus:

In case you've missed it, we've been considering (on linux-kernel) the
new scheme (introduced in 2.1.43) of putting dcache entries for
anonymous pipes into the root directory.

These pipes are created with the current fsuid/fsgid and can be opened
and read, "stealing" unread content from the output end of the pipe.
Possible problems with this scheme include:

1. Programs using the sys_setfsuid system call may not be prepared to
deal with the security implications of anonymous pipes appearing in
the filespace as named pipes owned by the current fsuid.

2. Some implementations of "nfsd" might allow a remote user to suck
out the contents of pipes from an exported root filesystem, even if it
is exported read-only.

3. These pipes may have been the source of the nightly "aging an empty
inode" messages I was seeing.

4. "chown" and "chgrp" calls on these pipes currently cause a kernel
NULL pointer dereference.

The enclosed patch (against pre-patch-2.1.44-3) disables this feature.

Kevin <buhr@stat.wisc.edu>

--Multipart_Fri_Jun_27_13:15:57_1997-1
Content-Type: application/octet-stream
Content-Disposition: attachment; filename="inode-patch"
Content-Transfer-Encoding: 7bit

Index: inode.c
===================================================================
RCS file: /spare2/kernel-cvs/linux/fs/inode.c,v
retrieving revision 1.1.1.1.2.2
diff -u -r1.1.1.1.2.2 inode.c
--- linux/fs/inode.c 1997/06/27 15:20:55 1.1.1.1.2.2
+++ linux/fs/inode.c 1997/06/27 15:59:51
@@ -682,8 +682,12 @@
inode->i_op = &pipe_inode_operations;
PIPE_READERS(*inode) = PIPE_WRITERS(*inode) = 1;

- /* I hope this does not introduce security problems.
- * Please check and give me response.
+#if 0
+ /* this scheme breaks backup programs, could allow remote
+ * users to suck out the contents of a pipe via NFS, might
+ * introduce new security holes in programs using
+ * "sys_setfsuid", and causes kernel oopses on chown/chgrp
+ * calls
*/
{
char dummyname[32];
@@ -697,6 +701,7 @@
d_add(new, inode, &dummy, D_BASKET);
vfs_unlock();
}
+#endif
return inode;
}

--Multipart_Fri_Jun_27_13:15:57_1997-1--

Next message: Dong Chen: "Re: patch for apm_bios.c (kernel 2.0.30)"
Previous message: Jonathan Freeson: "XFree86 3.3 + CL GD5464 + 2.1.x"