25.04.2024 05:31, Al Viro пишет:
Consider the following, currently absolutely harmless situation: * process is owned by luser:students. * descriptor 69 refers to root-opened root directory (O_RDONLY) What's the expected result of fcntl(69, F_SEFTD, O_CLOEXEC); opening "etc/shadow" with dirfd equal to 69 and your flag given subsequent read() from the resulting descriptor? At which point will the kernel say "go fuck yourself, I'm not letting you read that file", provided that attacker passes that new flag of yours? As a bonus question, how about opening it for _write_, seeing that this is an obvious instant roothole? Again, currently the setup that has a root-opened directory in descriptor table of a non-root process is safe. Incidentally, suppose you have the same process run with stdin opened (r/o) by root. F_SETFD it to O_CLOEXEC, then use your open with dirfd being 0, pathname - "" and flags - O_RDWR.
Ok, F_SETFD, how simple. :(
AFAICS, without an explicit opt-in by the original opener it's a non-starter, and TBH I doubt that even with such opt-in (FMODE_CRED, whatever) it would be a good idea - it gives too much.
Yes, which is why I am quite sceptical to this FMODE_CRED idea. Please note that my O_CLOEXEC check actually meant to check that exactly this process have opened the dir. It just didn't happen that way, as you pointed. Can I replace the O_CLOEXEC check with some explicit check that makes sure the fd was opened by exactly that process?