Hey, Alan, Paolo. On Fri, Nov 02, 2012 at 03:35:30PM +0000, Alan Cox wrote: > > >> That would be a change with respect to what we have now. After > > >> transferring a root-opened (better: CAP_SYS_RAWIO-opened) file > > >> descriptor to an unprivileged process your SG_IO commands get > > >> filtered. So a ioctl is needed if you want to rely on SCM_RIGHTS. > > > > > > Yeah, I get that it's a behavior change, but would that be a problem? > > > > Worse, it's a potential security hole because previously you'd get > > filtering and now you wouldn't. > > > > Considering that SCM_RIGHTS is usually used to transfer a file > > descriptor from a privileged process to an unprivileged one, I'd be very > > worried of that. > > In other contexts you inherit file handles via exec and having a "root > opened so its special" model is bad. Historically it led to things like > the rlogin/rsh hacks on SunOS and friends where a program run by the rsh > daemon got a root opened socket as its stdin/out and could issue ifconfig > ioctls on it at will. > > Not a good model. Any removal of filters and passing them to a task > should be explicit. The behaviour really ought to be to permit the > intentional setting of explicit filters then passing them, not touch the > default behaviour.
Yeah, well, then I guess it'll have to be a separate ioctl to switch SG_IO for !root users. Thanks. -- tejun -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
