On Mon, 7 Dec 2009, Andrew Lutomirski wrote:
> On Mon, Dec 7, 2009 at 9:13 AM, Alan Cox <alan@xxxxxxxxxxxxxxxxxxx> wrote:
> > First obvious attack: get an O_NODE handle to a device you have assigned
> > to your ownership
> >
> > while(1)
> > fchmod(fd, 0666);
> >
> > wait for device to unload, reload and be intended for another user
> > Race udev to a real open. You have a similar problem with vhangup() and
> > ttys.
>
> Huh? I would've thought that udev would (and already does?), on
> device unload, chown to 0:0, then chmod to 0000, then unlink, in which
> case that attack doesn't work.
Git version of udev does:
chmod(filename, 0000);
chown(filename, 0, 0);
err = unlink(filename);
It should probably do it the other way round, which is how it was
originally, until this commit messed it up:
commit 39087d3bdd0b5195c2570a4f858b88a82d42a066
Author: Kay Sievers <kay.sievers@xxxxxxxx>
Date: Sat Aug 29 16:10:24 2009 +0200
util_unlink_secure(): chmod() before chown()
Suggested by Florian Zumbiehl <florz@xxxxxxxx>.
And the thread where it came from:
http://markmail.org/thread/ozwcbju52yb3qs5d
where the poster actually warned Kay that it was wrong...
> Would you be okay with a patch that prevented opening
> /proc/self/fd/xxx on O_NODE handles?
We can't sanely do that.
Thanks,
Miklos
--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
