Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1760052AbXFIUHI (ORCPT ); Sat, 9 Jun 2007 16:07:08 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1758991AbXFIUG5 (ORCPT ); Sat, 9 Jun 2007 16:06:57 -0400 Received: from zeniv.linux.org.uk ([195.92.253.2]:35051 "EHLO ZenIV.linux.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1758888AbXFIUG4 (ORCPT ); Sat, 9 Jun 2007 16:06:56 -0400 Date: Sat, 9 Jun 2007 21:06:45 +0100 From: Al Viro To: Kyle Moffett Cc: Ulrich Drepper , Linus Torvalds , Davide Libenzi , Alan Cox , Theodore Tso , Eric Dumazet , Linux Kernel Mailing List , Andrew Morton , Ingo Molnar Subject: Re: [patch 7/8] fdmap v2 - implement sys_socket2 Message-ID: <20070609200645.GG4095@ftp.linux.org.uk> References: <20070609003622.GB4095@ftp.linux.org.uk> <466A0020.50406@redhat.com> <20070609014140.GC4095@ftp.linux.org.uk> <466A0BFB.3070908@redhat.com> <20070609151521.GD4095@ftp.linux.org.uk> <466AD4BA.80407@redhat.com> <20070609165454.GE4095@ftp.linux.org.uk> <466ADEAB.7080202@redhat.com> <20070609172429.GF4095@ftp.linux.org.uk> <2E51520E-EC73-457F-809A-4749ED9A3C97@mac.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <2E51520E-EC73-457F-809A-4749ED9A3C97@mac.com> User-Agent: Mutt/1.4.1i Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1980 Lines: 55 On Sat, Jun 09, 2007 at 03:27:43PM -0400, Kyle Moffett wrote: > On Jun 09, 2007, at 13:24:29, Al Viro wrote: > >On Sat, Jun 09, 2007 at 10:08:59AM -0700, Ulrich Drepper wrote: > >>- - there are two interface to use: open + fcntl. This is racy. > >>And don't tell me this doesn't matter. > >Racy with respect to what? Return-to-libc exploits from another > >thread? > > How about racy with respect to normal open How the hell can it be racy wrt normal open()? F_DUPFD is not dup2(), it's non-overriding. > or fork+exec from another > thread? Specifically there are cases where libc or other libraries > want to create a backend thread dealing with file descriptors in > response to the program's straightforward calls into that library > (Examples include using syslets or event-based polling threads). > > > SCENARIO 1: > > Program Thread: Library Thread: > fd = socket(AF_*, SOCK_*, 0); > fork(); > int x = FD_CLOEXEC; > fcntl(fd, F_SETFD, &x); > > New Process: > setgroups(...); > seteuid(...); > exec(....); > > Whoops!!! Suddenly the user process executed by the (theoretically) > single-threaded program got a handle to a netlink socket affecting > some system resource!!! Give me a break. fork(3) is nowhere near plain fork(2); read the nptl code for details. Getting a low-overhead exclusion into that scheme is not a rocket science. And lose the bangs, please... > SCENARIO 2: > > Program Thread: Async libc getpwent()-cache syslet > close(0); > fd = open("/etc/shadow"); > open("/dev/null"); > code_which_insecurely_reads_from_stdin(); >From what, again? Use of stdio after that is deep in nasal demon land... - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/