On Mon, 7 Dec 2009, Alan Cox wrote: > > > That is *exactly* the problem, which is clearly what you are missing here. > > > > I don't think so, but maybe I'm wrong. Could you describe your attack > > scenario in detail then, please? > > First obvious attack: get an O_NODE handle to a device you have assigned > to your ownership > > while(1) > fchmod(fd, 0666); > > wait for device to unload, reload and be intended for another user > Race udev to a real open. You have a similar problem with vhangup() and > ttys. If this was a udev device, the same attack is possible with a hard link to the device. Except the attacker simply does link() instad of open(O_NODE) and chmod() instead of fchmod(). See? Thanks, Miklos -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
