Claudiu Costin wrote :
>
> Hello all,
>
> Don't be scared about message subject.
> Last night I read af_irda.c from kernel source.
> More precisely irda_setsockopt and irda_getsockopt.
> There to sockopt (get and set) for local IAS
> manipulation: IRDA_IAS_SET and IRDA_IAS_GET (I read
> from memory).
> My concern: the r00t user set or read an entry on/from
> IAS and perform some actions (perhaps dangerous to be
> exploatable, e.g. run a service or another executable or else)
> regarding values in local IAS (or even remote?)
>
> A local user also can set their desired IAS entries replacing
> r00t ones.
> Questions:
>
> Is this realy potentialy exploitable?
Yes : all IAS entry set by any user (root or not) can be
manipulated by any other user.
Does it matter ? No. IAS entry that are set by users are not
used for any IrDA functionality.
> Can be a mecanism to seperate root/user or user1/user2?
> (I found that entries set by kernel are imune to deleting with IRDA_IAS_DEL)
The only IAS entries that matter are the one set by the
kernel. All the other IAS entries are cosmetic and not used by the
IrDA stack.
There is no point in trying to separate the users in the
kernel. If you are really worried, just restrict the IAS_SET/IAS_DEL
calls to root only and prevent normal users to manipulate the IAS (they
have no need to do it anyway).
If you send me a patch that restrict the setsockopt call to
root, I'll forward it to Linus.
> Is need to write a document and advertise for possible danger if we
> cannot this situation if all I say is correct?
>
> P.S. I think IrDA was designed by people concerned only to desktop users
> (i.e. one user, one device and monouser O.S.)
I think you give to much importance to the IAS
functionality. There is not much you can do with it anyway. If you
want, we'll restrict it to root only and that will be fixed.
> P.S.S. For Jean: is now possible to escape from having same name object
> and different IDs?
Nope, the IrDA stack needs it. The number one priority here is
to have a fully working IrDA stack.
Jean
_______________________________________________
Linux-IrDA mailing list - [EMAIL PROTECTED]
http://www.pasta.cs.UiT.No/mailman/listinfo/linux-irda
