Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1750825AbWCAE7G (ORCPT ); Tue, 28 Feb 2006 23:59:06 -0500 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1750915AbWCAE7F (ORCPT ); Tue, 28 Feb 2006 23:59:05 -0500 Received: from ebiederm.dsl.xmission.com ([166.70.28.69]:7654 "EHLO ebiederm.dsl.xmission.com") by vger.kernel.org with ESMTP id S1750825AbWCAE7E (ORCPT ); Tue, 28 Feb 2006 23:59:04 -0500 To: Paul Jackson Cc: akpm@osdl.org, laurent.riffard@free.fr, jesper.juhl@gmail.com, linux-kernel@vger.kernel.org, rjw@sisk.pl, mbligh@mbligh.org, clameter@engr.sgi.com Subject: Re: 2.6.16-rc5-mm1 References: <20060228042439.43e6ef41.akpm@osdl.org> <9a8748490602281313t4106dcccl982dc2966b95e0a7@mail.gmail.com> <4404CE39.6000109@liberouter.org> <9a8748490602281430x736eddf9l98e0de201b14940a@mail.gmail.com> <4404DA29.7070902@free.fr> <20060228162157.0ed55ce6.akpm@osdl.org> <20060228190535.41a8c697.pj@sgi.com> <20060228202632.cba12ae7.pj@sgi.com> From: ebiederm@xmission.com (Eric W. Biederman) Date: Tue, 28 Feb 2006 21:57:34 -0700 In-Reply-To: <20060228202632.cba12ae7.pj@sgi.com> (Paul Jackson's message of "Tue, 28 Feb 2006 20:26:32 -0800") Message-ID: User-Agent: Gnus/5.1007 (Gnus v5.10.7) Emacs/21.4 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2192 Lines: 63 Paul Jackson writes: > Eric wrote: >> The logic is can I access this file in some other way besides through >> /proc. >> >> When applied to /proc//exe >> When applied to /proc//root >> When applied to /proc//cwd > > I can't make sense of the above. Could you elaborate? Sorry. What I ment was when applied to the above files the permission checks are not quite correct because I should check to see if you share a fs_struct with them, checking for a shared files_struct for exe,root,cwd is nonsense. The permission check is not quite in the right place yet in /proc. The logical check which I have implemented imperfectly is: Without going through /proc/fd can I see this file. Part of the reason this happens now is the old check unchanged since 2.2 was it only checked to see if the two processes were in the same chroot. I made the check test the actual files that were returned. Which is much more correct, and much more likely to prevent information leaks. > And explain how any of these permission checks fail for > a root shell? Because I probably need a check something like if (capable(CAP_DAC_OVERRIDE)) return 0; To allow an appropriately privileged root user to do anything. The short answer is that I bug fixed the permission checks into working but that is not sufficient for the permission checks to be correct. :( These checks were previously done so badly they were mistaken for generic permission checks that all files in /proc should have. Which resulted in tons of useless cruft. At this point the code is working as designed but it is clearly not working as it needs to. I am also beginning to think that readlink and followlink should have different permissions. Especially to keep fuser and his friends happy. I am glad I found this issue with permissions on /proc//fd, but it is clear there is still more todo. Ok. Now back to hunting bugs that crash the kernel. Eric - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/