Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756505AbbDVKqm (ORCPT ); Wed, 22 Apr 2015 06:46:42 -0400 Received: from 251.110.2.81.in-addr.arpa ([81.2.110.251]:51973 "EHLO lxorguk.ukuu.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1756455AbbDVKqj (ORCPT ); Wed, 22 Apr 2015 06:46:39 -0400 Date: Wed, 22 Apr 2015 11:45:38 +0100 From: One Thousand Gnomes To: Linus Torvalds Cc: "Eric W. Biederman" , Greg Kroah-Hartman , Andrew Morton , Arnd Bergmann , Tom Gundersen , Jiri Kosina , Andy Lutomirski , Linux Kernel Mailing List , Daniel Mack , David Herrmann , Djalal Harouni Subject: Re: Issues with capability bits and meta-data in kdbus Message-ID: <20150422114538.0f8b3d04@lxorguk.ukuu.org.uk> In-Reply-To: References: <20150413190350.GA9485@kroah.com> <8738434yjk.fsf@x220.int.ebiederm.org> <87lhhv36je.fsf@x220.int.ebiederm.org> <20150414175534.GB3974@kroah.com> <87oamhmbso.fsf_-_@x220.int.ebiederm.org> Organization: Intel Corporation X-Mailer: Claws Mail 3.11.1 (GTK+ 2.24.27; x86_64-redhat-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1798 Lines: 43 > > - Access to the capability bits is guarded with PTRACE_MAY_READ > > kdbus does not honor that and thus leaks information. > > Now, this is likely not a real problem. > > Yes, when you try to read other processes capabilities, you need > PTRACE_MAY_READ to see them. HOWEVER, that's not really what a kdbus > message would do - it doesn't "read somebody elses capabilities". When > you do a kdbus write, you export your *own* capabilities. If you don't > want others to know what privileges you have, then you shouldn't be > using kdbus. That's broken but fixable. It should not share any capability information *unless* you pass a flag which says "flash my security badges around". That fails safe (descriptor passed to another process), and gives a default behaviour which is non surprising, non leaky and useful for general purposes. This is also mirroring AF_LOCAL/AF_UNIX where you have to choose to wave your bits in public. (again its showing that kdbus really should be done by adding multicast reliable delivery to AF_LOCAL sockets) > So I think that one is a real and serious bug. But the other > complaints seem to be off the mark. It seems quite reasonable to me to > say that a recipient should be able to distinguish between *root* > sending it a dbus message to take down the system, and some random > luser doing the same. Agreed but there are better ways to do this including opening some kind of capability object and passing it as proof. Also do I need to be root when I send the message or root when you ask ... Alan -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/