On Tue, Oct 16, 2018 at 5:53 PM, Theodore Y. Ts'o <tytso@xxxxxxx> wrote: >> > The patch I referenced in my previous e-mail protects against >> > additional scenarios where someone might be trying to punch a whole >> > into a file that is being swapped into the bootloader ioctl. This >> > particular ioctl isn't yet being used by anyone, so it had some other >> > issues as well, such as not interacting well with inline_data-enabled >> > file systems --- not that any bootloader would be small enough that it >> > would fit in an inline_data inode, but we're basically proofing the >> > code against a malicious (or buggy) root-privileged program... such as >> > syzbot. :-) >> >> ... or paving the way to opening all of this to non-root users. Why >> not if not bugs? ;) > > The intent behind this particular ioctl is used to install a boot > loader. It will *never* be opened to non-root users. It doesn't even > make sense to make it available to pseudo-containers-root users. :-) But it does not have to be executed on the root fs, right? Or is it? For example, if I need to build a bootable image (which I actually need to do for syzkaller). In the end it boils down to just creating a local, private file with some particular contents. Should be nobody's business, right? But for some reason on Linux creation of a local file requires root privileges multiple times along the way. As the result I have run the whole service as root, degrading overall security. And I can't say that I fully trust all code and data involved, but Linux simply does not give me any choice.
