Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp827601imm; Wed, 18 Jul 2018 11:20:23 -0700 (PDT) X-Google-Smtp-Source: AAOMgpeCMU/sQl3JlNP/PAVicv6gsbiU5HZEuMRorNAQGYal3tbiC5Aq4ECko+ci+8AYPdfDXoLb X-Received: by 2002:a62:d75b:: with SMTP id v27-v6mr6223858pfl.79.1531938023482; Wed, 18 Jul 2018 11:20:23 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1531938023; cv=none; d=google.com; s=arc-20160816; b=GfQRZHKA5qdDvWssRrwzT5JYFMZGuoEdPY7vRZgYqhtp8QOC/+AEJADZTBdnIeCeF8 YkbraZ3EYnMztK8MTMK4kfcrRQB+yHsH521gohzxxY1xG41K285fcI8C36w7e8m2LmcO Iixddy08PPymmsUNwOZ5aBD9QlKv44HGwAk3VA32SFPOoVLTmjpxjzA6zrEETmel6EJY RIPy7lB6hE+CgRI9H80ccexXTLgdBBWcj2xAbxq906a64+8FDmiW6WS1o6asao2QcmLl neYtIK5KOiqy3tfVc8oaDGhjeNxtxWQ6asONoUnl/BeIywpoCxVGY/VEk8wCQaphtKQ/ E3qQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature :arc-authentication-results; bh=5EoiKQ7XGSxmYw+Ig8t7223KHD1tJG1+RFYUjMmJU6g=; b=xxro328NP1IthncSz63dxIKe8LxpHCaYfoQiXin3PmVyrz1KvWPSsfKzd9W4st50Rj rmLlwTaqj7xTsjXXmk2U76cJ/NLM0Yk4EPSmzYuTNjEEv5ZUQdrTYtu3QTuNVPJ+4eXc +v7RlIRZjxxH9mH1/25aFlU/Efrlq5WRHBqQ1/7YpeZldt9hqMJ7T9spOyITsXk2P93C CgtiKWvTQUbNtrQAS0m0kElUFnfQ/DI1kRHbbhZ/+L6FRjFlunF1rE341Jr8kQTjQXgi RC6zmsRCS+so8flaiyrIiz8/E44qFKQ1GoeqHzS93jMy9Tvkg48DLIg9wRyORfqDv+G2 EzLw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linux-foundation.org header.s=google header.b=LdJLlB5d; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id k6-v6si3652672pgb.446.2018.07.18.11.20.07; Wed, 18 Jul 2018 11:20:23 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linux-foundation.org header.s=google header.b=LdJLlB5d; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729126AbeGRS6f (ORCPT + 99 others); Wed, 18 Jul 2018 14:58:35 -0400 Received: from mail-io0-f182.google.com ([209.85.223.182]:39318 "EHLO mail-io0-f182.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728103AbeGRS6f (ORCPT ); Wed, 18 Jul 2018 14:58:35 -0400 Received: by mail-io0-f182.google.com with SMTP id o22-v6so3812687ioh.6; Wed, 18 Jul 2018 11:19:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux-foundation.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=5EoiKQ7XGSxmYw+Ig8t7223KHD1tJG1+RFYUjMmJU6g=; b=LdJLlB5dyd12W0uIQQ75GHDE9ZyGSWxqbQtzaS+eEFj18AONku6CZ5zNGK3O/bZZg6 Tuz4wYl5IeLLx9muSsFEGUF5bxGTPfXJxBKTw2zv2g0xI5rUn8ChPTbHCN93xFbSv/zH zZaKi9tbHCltPO177rz23iSMo3NU972aulLvI= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=5EoiKQ7XGSxmYw+Ig8t7223KHD1tJG1+RFYUjMmJU6g=; b=kN4S1mjGB0iE3RLrRHwaUCsXuDkTJUk9QfKRtQy1QZDSv8N3C2n4E8zEHIasbefdKU 14tYkqj7Im0OeUEy0xAABZe6oTCLf4w6dnFitOoCMUYY2D6wjoB+V3EcXdlLhfcJ1ZeI Mj5RXu2TjsfmEgFJaz7vibBm0Q6X7/WvHHv/RzRyVVgHbXOekeoI7fIHdIDqsXjO5D81 u+/NwLuqEShrhpypNIf/N+7Y712nh0VDGBr+ni2V+BIbz2WUjL6uVBPlAHILidUkyp3L uM6Eh4NAhFGTt3xIj6Pb2bv/bFQX3wmX2NYDnPOpVpMB15YxcMe0I6wXcjFVd7i7ZR9a 4P7A== X-Gm-Message-State: AOUpUlHZFgGQy0qg8pMHbDakUuXgU/Mb0/QQ40yBkeC9ffY01g+vGbDf tsxCuT2LJPCoBPvbU9iXI6ht6WLykG/73PBU9hc= X-Received: by 2002:a6b:274f:: with SMTP id n76-v6mr6213550ion.259.1531937969160; Wed, 18 Jul 2018 11:19:29 -0700 (PDT) MIME-Version: 1.0 References: <20180711161540.GS30522@ZenIV.linux.org.uk> <20180712124326.GA19272@ZenIV.linux.org.uk> <20180712155337.GU30522@ZenIV.linux.org.uk> <20180718025636.GA26175@ZenIV.linux.org.uk> <20180718132955.2bf185b7@canb.auug.org.au> <20180718124340.GS30522@ZenIV.linux.org.uk> <20180718181252.GU30522@ZenIV.linux.org.uk> In-Reply-To: <20180718181252.GU30522@ZenIV.linux.org.uk> From: Linus Torvalds Date: Wed, 18 Jul 2018 11:19:18 -0700 Message-ID: Subject: Re: [RFC] call_with_creds() To: Al Viro Cc: Miklos Szeredi , Stephen Rothwell , linux-fsdevel , Linux Kernel Mailing List Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Jul 18, 2018 at 11:13 AM Al Viro wrote: > > Linus, David - do you have any objections to the above? I damn well do. I explained earlier why it's wrong and fragile, and why it can just cause the *reverse* security problem if you do it wrong. So now you take a subtle bug, and make it even more subtle, and encourage people to do this known-broken model of using creds at IO time. No. Some debugging option to just clear current->creds entirely and catch mis-uses, sure. But saying "we have shit buggy garbage in random write functions, so we'll just paper over it"? No. Linus