Re: [Security] [PATCH 00/20] world-writable files in sysfs and debugfs
On Sat, 12 Mar 2011 23:23:06 +0300 Vasiliy Kulikov seg...@openwall.com wrote: Vasiliy Kulikov (20): mach-ux500: mbox-db5500: world-writable sysfs fifo file leds: lp5521: world-writable sysfs engine* files leds: lp5523: world-writable engine* sysfs files misc: ep93xx_pwm: world-writable sysfs files rtc: rtc-ds1511: world-writable sysfs nvram file scsi: aic94xx: world-writable sysfs update_bios file scsi: iscsi: world-writable sysfs priv_sess file These are still not merged :( I grabbed them and shall merge some and send others at relevant maintainers, thanks. -- You received this message because you are subscribed to the Google Groups open-iscsi group. To post to this group, send email to open-iscsi@googlegroups.com. To unsubscribe from this group, send email to open-iscsi+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/open-iscsi?hl=en.
Re: [Security] [PATCH 00/20] world-writable files in sysfs and debugfs
On Mon, 2011-03-14 at 20:09 -0700, Greg KH wrote: On Mon, Mar 14, 2011 at 10:26:05PM -0400, James Bottomley wrote: On Sat, 2011-03-12 at 23:23 +0300, Vasiliy Kulikov wrote: Vasiliy Kulikov (20): mach-ux500: mbox-db5500: world-writable sysfs fifo file leds: lp5521: world-writable sysfs engine* files leds: lp5523: world-writable engine* sysfs files misc: ep93xx_pwm: world-writable sysfs files rtc: rtc-ds1511: world-writable sysfs nvram file scsi: aic94xx: world-writable sysfs update_bios file scsi: iscsi: world-writable sysfs priv_sess file These are still not merged :( OK, so I've not been tracking where we are in the dizzying ride on security systems. However, I thought we landed up in the privilege separation arena using capabilities. That means that world writeable files aren't necessarily a problem as long as the correct capabilities checks are in place, right? There are no capability checks on sysfs files right now, so these all need to be fixed. That statement is true but irrelevant, isn't it? There can't be capabilities within sysfs files because the system that does them has no idea what the capabilities would be. If there were capabilities checks, they'd have to be in the implementing routines. I think the questions are twofold: 1. Did anyone actually check for capabilities before assuming world writeable files were wrong? 2. Even if there aren't any capabilities checks in the implementing routines, should there be (are we going the separated capabilities route vs the monolithic root route)? James -- You received this message because you are subscribed to the Google Groups open-iscsi group. To post to this group, send email to open-iscsi@googlegroups.com. To unsubscribe from this group, send email to open-iscsi+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/open-iscsi?hl=en.
Re: [Security] [PATCH 00/20] world-writable files in sysfs and debugfs
On Tue, Mar 15, 2011 at 07:50:28AM -0400, James Bottomley wrote: On Mon, 2011-03-14 at 20:09 -0700, Greg KH wrote: On Mon, Mar 14, 2011 at 10:26:05PM -0400, James Bottomley wrote: On Sat, 2011-03-12 at 23:23 +0300, Vasiliy Kulikov wrote: Vasiliy Kulikov (20): mach-ux500: mbox-db5500: world-writable sysfs fifo file leds: lp5521: world-writable sysfs engine* files leds: lp5523: world-writable engine* sysfs files misc: ep93xx_pwm: world-writable sysfs files rtc: rtc-ds1511: world-writable sysfs nvram file scsi: aic94xx: world-writable sysfs update_bios file scsi: iscsi: world-writable sysfs priv_sess file These are still not merged :( OK, so I've not been tracking where we are in the dizzying ride on security systems. However, I thought we landed up in the privilege separation arena using capabilities. That means that world writeable files aren't necessarily a problem as long as the correct capabilities checks are in place, right? There are no capability checks on sysfs files right now, so these all need to be fixed. That statement is true but irrelevant, isn't it? There can't be capabilities within sysfs files because the system that does them has no idea what the capabilities would be. If there were capabilities checks, they'd have to be in the implementing routines. Ah, you are correct, sorry for the misunderstanding. I think the questions are twofold: 1. Did anyone actually check for capabilities before assuming world writeable files were wrong? I do not think so as the majority (i.e. all the ones that I looked at) did no such checks. 2. Even if there aren't any capabilities checks in the implementing routines, should there be (are we going the separated capabilities route vs the monolithic root route)? I think the general consensus is that we go the monolithic root route for sysfs files in that we do not allow them to be world writable. Do you have any exceptions that you know of that do these checks? thanks, greg k-h -- You received this message because you are subscribed to the Google Groups open-iscsi group. To post to this group, send email to open-iscsi@googlegroups.com. To unsubscribe from this group, send email to open-iscsi+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/open-iscsi?hl=en.
Re: [Security] [PATCH 00/20] world-writable files in sysfs and debugfs
On Tue, 2011-03-15 at 07:18 -0700, Greg KH wrote: On Tue, Mar 15, 2011 at 07:50:28AM -0400, James Bottomley wrote: On Mon, 2011-03-14 at 20:09 -0700, Greg KH wrote: There are no capability checks on sysfs files right now, so these all need to be fixed. That statement is true but irrelevant, isn't it? There can't be capabilities within sysfs files because the system that does them has no idea what the capabilities would be. If there were capabilities checks, they'd have to be in the implementing routines. Ah, you are correct, sorry for the misunderstanding. I think the questions are twofold: 1. Did anyone actually check for capabilities before assuming world writeable files were wrong? I do not think so as the majority (i.e. all the ones that I looked at) did no such checks. OK, as long as someone checked, I'm happy. 2. Even if there aren't any capabilities checks in the implementing routines, should there be (are we going the separated capabilities route vs the monolithic root route)? I think the general consensus is that we go the monolithic root route for sysfs files in that we do not allow them to be world writable. Do you have any exceptions that you know of that do these checks? Heh, I didn't call our security vacillations a dizzying ride for nothing. I know the goal once was to try to run a distro without root daemons (which is what required the capabilities stuff). I'm actually trying to avoid the issue ... I just want to make sure that people who care aren't all moving in different directions. James -- You received this message because you are subscribed to the Google Groups open-iscsi group. To post to this group, send email to open-iscsi@googlegroups.com. To unsubscribe from this group, send email to open-iscsi+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/open-iscsi?hl=en.
Re: [Security] [PATCH 00/20] world-writable files in sysfs and debugfs
On Mon, Mar 14, 2011 at 10:26:05PM -0400, James Bottomley wrote: On Sat, 2011-03-12 at 23:23 +0300, Vasiliy Kulikov wrote: Vasiliy Kulikov (20): mach-ux500: mbox-db5500: world-writable sysfs fifo file leds: lp5521: world-writable sysfs engine* files leds: lp5523: world-writable engine* sysfs files misc: ep93xx_pwm: world-writable sysfs files rtc: rtc-ds1511: world-writable sysfs nvram file scsi: aic94xx: world-writable sysfs update_bios file scsi: iscsi: world-writable sysfs priv_sess file These are still not merged :( OK, so I've not been tracking where we are in the dizzying ride on security systems. However, I thought we landed up in the privilege separation arena using capabilities. That means that world writeable files aren't necessarily a problem as long as the correct capabilities checks are in place, right? There are no capability checks on sysfs files right now, so these all need to be fixed. thanks, greg k-h -- You received this message because you are subscribed to the Google Groups open-iscsi group. To post to this group, send email to open-iscsi@googlegroups.com. To unsubscribe from this group, send email to open-iscsi+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/open-iscsi?hl=en.
Re: [Security] [PATCH 00/20] world-writable files in sysfs and debugfs
On Tue, 2011-03-15 at 19:08 +0300, Vasiliy Kulikov wrote: On Tue, Mar 15, 2011 at 07:50 -0400, James Bottomley wrote: 1. Did anyone actually check for capabilities before assuming world writeable files were wrong? I didn't check all these files as I haven't got these hardware :-) You don't need the hardware to check ... the question becomes is a capabilities test sitting in the implementation or not. But as I can chmod a+w all sysfs files on my machine and they all become sensible to nonroot writes, I suppose there is nothing preventing nonroot users from writing to these buggy sysfs files. As you can see, there are no capable() checks in these drivers in open() or write(). 2. Even if there aren't any capabilities checks in the implementing routines, should there be (are we going the separated capabilities route vs the monolithic root route)? IMO, In any case old good DAC security model must not be obsoleted just because someone thinks that MAC or anything else is more convenient for him. If sysfs is implemented via filesystem then it must support POSIX permissions semantic. MAC is very good in _some_ cases, but not instead of DAC. Um, I'm not sure that's even an issue. capabilities have CAP_ADMIN which is precisely the same check as owner == root. We use this a lot because ioctls ignore the standard unix DAC model. James -- You received this message because you are subscribed to the Google Groups open-iscsi group. To post to this group, send email to open-iscsi@googlegroups.com. To unsubscribe from this group, send email to open-iscsi+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/open-iscsi?hl=en.
