2011-02-04 14:00:44

by Vasily Kulikov

[permalink] [raw]
Subject: [PATCH 00/20] world-writable files in sysfs and debugfs

The search was made with trivial shell commands:

find | xargs grep S_IWUGO
find | xargs grep S_IWOTH

I didn't precisely investigate how exactly one may damage the
system/hardware because of issues number, maybe the harm is very limited
in case of some of these drivers.

One suspicious file is ./staging/speakup/speakup.h, but it explitly calls
macros as world-writable. I didn't check what speakup's world-writable
files provide because it requires some knowledge about the hardware.


Vasiliy Kulikov (20):
mach-omap2: mux: world-writable debugfs files
mach-omap2: pm: world-writable debugfs timer files
mach-omap2: smartreflex: world-writable debugfs voltage files
mach-ux500: mbox-db5500: world-writable sysfs fifo file
leds: lp5521: world-writable sysfs engine* files
leds: lp5523: world-writable engine* sysfs files
video: sn9c102: world-wirtable sysfs files
mfd: ab3100: world-writable debugfs *_priv files
mfd: ab3500: world-writable debugfs register-* files
mfd: ab8500: world-writable debugfs register-* files
misc: ep93xx_pwm: world-writable sysfs files
net: can: at91_can: world-writable sysfs files
net: can: janz-ican3: world-writable sysfs termination file
platform: x86: acer-wmi: world-writable sysfs threeg file
platform: x86: asus_acpi: world-writable procfs files
platform: x86: tc1100-wmi: world-writable sysfs wireless and jogdial files
rtc: rtc-ds1511: world-writable sysfs nvram file
scsi: aic94xx: world-writable sysfs update_bios file
scsi: iscsi: world-writable sysfs priv_sess file
fs: ubifs: world-writable debugfs dump_* files

arch/arm/mach-omap2/mux.c | 2 +-
arch/arm/mach-omap2/pm-debug.c | 8 ++++----
arch/arm/mach-omap2/smartreflex.c | 4 ++--
arch/arm/mach-ux500/mbox-db5500.c | 2 +-
drivers/leds/leds-lp5521.c | 14 +++++++-------
drivers/leds/leds-lp5523.c | 20 ++++++++++----------
drivers/media/video/sn9c102/sn9c102_core.c | 6 +++---
drivers/mfd/ab3100-core.c | 4 ++--
drivers/mfd/ab3550-core.c | 6 +++---
drivers/mfd/ab8500-debugfs.c | 6 +++---
drivers/misc/ep93xx_pwm.c | 6 +++---
drivers/net/can/at91_can.c | 2 +-
drivers/net/can/janz-ican3.c | 2 +-
drivers/platform/x86/acer-wmi.c | 2 +-
drivers/platform/x86/asus_acpi.c | 8 +-------
drivers/platform/x86/tc1100-wmi.c | 2 +-
drivers/rtc/rtc-ds1511.c | 2 +-
drivers/scsi/aic94xx/aic94xx_init.c | 2 +-
drivers/scsi/scsi_transport_iscsi.c | 2 +-
fs/ubifs/debug.c | 6 +++---
20 files changed, 50 insertions(+), 56 deletions(-)

--
Vasiliy Kulikov
http://www.openwall.com - bringing security into open computing environments


2011-02-07 19:38:44

by Matthew Garrett

[permalink] [raw]
Subject: Re: [PATCH 00/20] world-writable files in sysfs and debugfs

Thanks, I've applied the x86 platform driver ones.

--
Matthew Garrett | [email protected]

2011-02-21 11:42:24

by Samuel Ortiz

[permalink] [raw]
Subject: Re: [PATCH 00/20] world-writable files in sysfs and debugfs

Hi Vasiliy,

On Fri, Feb 04, 2011 at 03:22:29PM +0300, Vasiliy Kulikov wrote:
> mfd: ab3100: world-writable debugfs *_priv files
> mfd: ab3500: world-writable debugfs register-* files
> mfd: ab8500: world-writable debugfs register-* files
All 3 patches applied, thanks.

Cheers,
Samuel.

--
Intel Open Source Technology Centre
http://oss.intel.com/

2011-03-12 20:23:12

by Vasily Kulikov

[permalink] [raw]
Subject: Re: [PATCH 00/20] world-writable files in sysfs and debugfs

> Vasiliy Kulikov (20):
> ?mach-ux500: mbox-db5500: world-writable sysfs fifo file
> ?leds: lp5521: world-writable sysfs engine* files
> ?leds: lp5523: world-writable engine* sysfs files
> ?misc: ep93xx_pwm: world-writable sysfs files
> ?rtc: rtc-ds1511: world-writable sysfs nvram file
> ?scsi: aic94xx: world-writable sysfs update_bios file
> ?scsi: iscsi: world-writable sysfs priv_sess file

These are still not merged :(

2011-03-14 22:19:39

by Andrew Morton

[permalink] [raw]
Subject: Re: [Security] [PATCH 00/20] world-writable files in sysfs and debugfs

On Sat, 12 Mar 2011 23:23:06 +0300
Vasiliy Kulikov <[email protected]> wrote:

> > Vasiliy Kulikov (20):
> > mach-ux500: mbox-db5500: world-writable sysfs fifo file
> > leds: lp5521: world-writable sysfs engine* files
> > leds: lp5523: world-writable engine* sysfs files
> > misc: ep93xx_pwm: world-writable sysfs files
> > rtc: rtc-ds1511: world-writable sysfs nvram file
> > scsi: aic94xx: world-writable sysfs update_bios file
> > scsi: iscsi: world-writable sysfs priv_sess file
>
> These are still not merged :(

I grabbed them and shall merge some and send others at relevant
maintainers, thanks.

2011-03-15 02:26:17

by James Bottomley

[permalink] [raw]
Subject: Re: [PATCH 00/20] world-writable files in sysfs and debugfs

On Sat, 2011-03-12 at 23:23 +0300, Vasiliy Kulikov wrote:
> > Vasiliy Kulikov (20):
> > mach-ux500: mbox-db5500: world-writable sysfs fifo file
> > leds: lp5521: world-writable sysfs engine* files
> > leds: lp5523: world-writable engine* sysfs files
> > misc: ep93xx_pwm: world-writable sysfs files
> > rtc: rtc-ds1511: world-writable sysfs nvram file
> > scsi: aic94xx: world-writable sysfs update_bios file
> > scsi: iscsi: world-writable sysfs priv_sess file
>
> These are still not merged :(

OK, so I've not been tracking where we are in the dizzying ride on
security systems. However, I thought we landed up in the privilege
separation arena using capabilities. That means that world writeable
files aren't necessarily a problem as long as the correct capabilities
checks are in place, right?

James

2011-03-15 03:09:09

by Greg KH

[permalink] [raw]
Subject: Re: [Security] [PATCH 00/20] world-writable files in sysfs and debugfs

On Mon, Mar 14, 2011 at 10:26:05PM -0400, James Bottomley wrote:
> On Sat, 2011-03-12 at 23:23 +0300, Vasiliy Kulikov wrote:
> > > Vasiliy Kulikov (20):
> > > mach-ux500: mbox-db5500: world-writable sysfs fifo file
> > > leds: lp5521: world-writable sysfs engine* files
> > > leds: lp5523: world-writable engine* sysfs files
> > > misc: ep93xx_pwm: world-writable sysfs files
> > > rtc: rtc-ds1511: world-writable sysfs nvram file
> > > scsi: aic94xx: world-writable sysfs update_bios file
> > > scsi: iscsi: world-writable sysfs priv_sess file
> >
> > These are still not merged :(
>
> OK, so I've not been tracking where we are in the dizzying ride on
> security systems. However, I thought we landed up in the privilege
> separation arena using capabilities. That means that world writeable
> files aren't necessarily a problem as long as the correct capabilities
> checks are in place, right?

There are no capability checks on sysfs files right now, so these all
need to be fixed.

thanks,

greg k-h

2011-03-15 11:50:37

by James Bottomley

[permalink] [raw]
Subject: Re: [Security] [PATCH 00/20] world-writable files in sysfs and debugfs

On Mon, 2011-03-14 at 20:09 -0700, Greg KH wrote:
> On Mon, Mar 14, 2011 at 10:26:05PM -0400, James Bottomley wrote:
> > On Sat, 2011-03-12 at 23:23 +0300, Vasiliy Kulikov wrote:
> > > > Vasiliy Kulikov (20):
> > > > mach-ux500: mbox-db5500: world-writable sysfs fifo file
> > > > leds: lp5521: world-writable sysfs engine* files
> > > > leds: lp5523: world-writable engine* sysfs files
> > > > misc: ep93xx_pwm: world-writable sysfs files
> > > > rtc: rtc-ds1511: world-writable sysfs nvram file
> > > > scsi: aic94xx: world-writable sysfs update_bios file
> > > > scsi: iscsi: world-writable sysfs priv_sess file
> > >
> > > These are still not merged :(
> >
> > OK, so I've not been tracking where we are in the dizzying ride on
> > security systems. However, I thought we landed up in the privilege
> > separation arena using capabilities. That means that world writeable
> > files aren't necessarily a problem as long as the correct capabilities
> > checks are in place, right?
>
> There are no capability checks on sysfs files right now, so these all
> need to be fixed.

That statement is true but irrelevant, isn't it? There can't be
capabilities within sysfs files because the system that does them has no
idea what the capabilities would be. If there were capabilities checks,
they'd have to be in the implementing routines.

I think the questions are twofold:

1. Did anyone actually check for capabilities before assuming world
writeable files were wrong?
2. Even if there aren't any capabilities checks in the implementing
routines, should there be (are we going the separated
capabilities route vs the monolithic root route)?

James

2011-03-15 14:22:19

by Greg KH

[permalink] [raw]
Subject: Re: [Security] [PATCH 00/20] world-writable files in sysfs and debugfs

On Tue, Mar 15, 2011 at 07:50:28AM -0400, James Bottomley wrote:
> On Mon, 2011-03-14 at 20:09 -0700, Greg KH wrote:
> > On Mon, Mar 14, 2011 at 10:26:05PM -0400, James Bottomley wrote:
> > > On Sat, 2011-03-12 at 23:23 +0300, Vasiliy Kulikov wrote:
> > > > > Vasiliy Kulikov (20):
> > > > > mach-ux500: mbox-db5500: world-writable sysfs fifo file
> > > > > leds: lp5521: world-writable sysfs engine* files
> > > > > leds: lp5523: world-writable engine* sysfs files
> > > > > misc: ep93xx_pwm: world-writable sysfs files
> > > > > rtc: rtc-ds1511: world-writable sysfs nvram file
> > > > > scsi: aic94xx: world-writable sysfs update_bios file
> > > > > scsi: iscsi: world-writable sysfs priv_sess file
> > > >
> > > > These are still not merged :(
> > >
> > > OK, so I've not been tracking where we are in the dizzying ride on
> > > security systems. However, I thought we landed up in the privilege
> > > separation arena using capabilities. That means that world writeable
> > > files aren't necessarily a problem as long as the correct capabilities
> > > checks are in place, right?
> >
> > There are no capability checks on sysfs files right now, so these all
> > need to be fixed.
>
> That statement is true but irrelevant, isn't it? There can't be
> capabilities within sysfs files because the system that does them has no
> idea what the capabilities would be. If there were capabilities checks,
> they'd have to be in the implementing routines.

Ah, you are correct, sorry for the misunderstanding.

> I think the questions are twofold:
>
> 1. Did anyone actually check for capabilities before assuming world
> writeable files were wrong?

I do not think so as the majority (i.e. all the ones that I looked at)
did no such checks.

> 2. Even if there aren't any capabilities checks in the implementing
> routines, should there be (are we going the separated
> capabilities route vs the monolithic root route)?

I think the general consensus is that we go the monolithic root route
for sysfs files in that we do not allow them to be world writable.

Do you have any exceptions that you know of that do these checks?

thanks,

greg k-h

2011-03-15 14:25:58

by James Bottomley

[permalink] [raw]
Subject: Re: [Security] [PATCH 00/20] world-writable files in sysfs and debugfs

On Tue, 2011-03-15 at 07:18 -0700, Greg KH wrote:
> On Tue, Mar 15, 2011 at 07:50:28AM -0400, James Bottomley wrote:
> > On Mon, 2011-03-14 at 20:09 -0700, Greg KH wrote:
> > > There are no capability checks on sysfs files right now, so these all
> > > need to be fixed.
> >
> > That statement is true but irrelevant, isn't it? There can't be
> > capabilities within sysfs files because the system that does them has no
> > idea what the capabilities would be. If there were capabilities checks,
> > they'd have to be in the implementing routines.
>
> Ah, you are correct, sorry for the misunderstanding.
>
> > I think the questions are twofold:
> >
> > 1. Did anyone actually check for capabilities before assuming world
> > writeable files were wrong?
>
> I do not think so as the majority (i.e. all the ones that I looked at)
> did no such checks.

OK, as long as someone checked, I'm happy.

> > 2. Even if there aren't any capabilities checks in the implementing
> > routines, should there be (are we going the separated
> > capabilities route vs the monolithic root route)?
>
> I think the general consensus is that we go the monolithic root route
> for sysfs files in that we do not allow them to be world writable.
>
> Do you have any exceptions that you know of that do these checks?

Heh, I didn't call our security vacillations a dizzying ride for
nothing. I know the goal once was to try to run a distro without root
daemons (which is what required the capabilities stuff). I'm actually
trying to avoid the issue ... I just want to make sure that people who
care aren't all moving in different directions.

James

2011-03-15 16:12:24

by Vasily Kulikov

[permalink] [raw]
Subject: Re: [Security] [PATCH 00/20] world-writable files in sysfs and debugfs

On Tue, Mar 15, 2011 at 07:50 -0400, James Bottomley wrote:
> 1. Did anyone actually check for capabilities before assuming world
> writeable files were wrong?

I didn't check all these files as I haven't got these hardware :-) But
as I can "chmod a+w" all sysfs files on my machine and they all become
sensible to nonroot writes, I suppose there is nothing preventing
nonroot users from writing to these buggy sysfs files. As you can see,
there are no capable() checks in these drivers in open() or write().

> 2. Even if there aren't any capabilities checks in the implementing
> routines, should there be (are we going the separated
> capabilities route vs the monolithic root route)?

IMO, In any case old good DAC security model must not be obsoleted just
because someone thinks that MAC or anything else is more convenient for
him. If sysfs is implemented via filesystem then it must support POSIX
permissions semantic. MAC is very good in _some_ cases, but not instead
of DAC.

Thanks,

--
Vasiliy Kulikov
http://www.openwall.com - bringing security into open computing environments

2011-03-15 16:33:02

by James Bottomley

[permalink] [raw]
Subject: Re: [Security] [PATCH 00/20] world-writable files in sysfs and debugfs

On Tue, 2011-03-15 at 19:08 +0300, Vasiliy Kulikov wrote:
> On Tue, Mar 15, 2011 at 07:50 -0400, James Bottomley wrote:
> > 1. Did anyone actually check for capabilities before assuming world
> > writeable files were wrong?
>
> I didn't check all these files as I haven't got these hardware :-)

You don't need the hardware to check ... the question becomes is a
capabilities test sitting in the implementation or not.

> But
> as I can "chmod a+w" all sysfs files on my machine and they all become
> sensible to nonroot writes, I suppose there is nothing preventing
> nonroot users from writing to these buggy sysfs files. As you can see,
> there are no capable() checks in these drivers in open() or write().
>
> > 2. Even if there aren't any capabilities checks in the implementing
> > routines, should there be (are we going the separated
> > capabilities route vs the monolithic root route)?
>
> IMO, In any case old good DAC security model must not be obsoleted just
> because someone thinks that MAC or anything else is more convenient for
> him. If sysfs is implemented via filesystem then it must support POSIX
> permissions semantic. MAC is very good in _some_ cases, but not instead
> of DAC.

Um, I'm not sure that's even an issue. capabilities have CAP_ADMIN
which is precisely the same check as owner == root. We use this a lot
because ioctls ignore the standard unix DAC model.

James