On Jun 5, 2008, at 2:02 PM, David Bonnie wrote:
Hey all -
Nick and I are digging through the permissions checking in various
state
machines and we're a little confused about something. It seems that
both
the truncate and io state machines do not check permissions unless
root
squashing has been performed. If it hasn't, the checks in-place now
simply allow access.
Is there any checking going on somewhere we aren't finding it? Both
state
machines use the PINT_SERVER_CHECK_NONE value in the server request
parameters structure which seems to bypass all permissions checking
entirely except for the root squashing case. Right now the client-
side
calls do a getattr before doing any io and thus get denied access if
privileges don't match.
That's the only checking we do for IO.
It seems like it'd be fairly easy to write a program that could
directly
send io requests with any file handle to grab or overwrite data.
Even if we checked permissions for IO at the servers, its just as easy
to write a program that sends a different uid.
Is this something that just got overlooked or is there some kind of
check
in place to prevent this?
The kernel module and daemon will perform the proper checks -- we do
assume that code won't be compromised, but it can only be run as root,
so if it is, the attacker already has root anyway. Without auth/authz
for requests, there's just no way to prevent the userspace apps from
being modified to be malicious (even with root squash enabled).
-sam
Thanks!
- Dave
_______________________________________________
Pvfs2-developers mailing list
[email protected]
http://www.beowulf-underground.org/mailman/listinfo/pvfs2-developers
_______________________________________________
Pvfs2-developers mailing list
[email protected]
http://www.beowulf-underground.org/mailman/listinfo/pvfs2-developers
