Re: [PATCH 1/2] um: Set secure access mode for temporary file

[Mickaël Salaün]

On 28/11/2015 23:55, Richard Weinberger wrote:
> Am 28.11.2015 um 23:52 schrieb Mickaël Salaün:
>>
>> On 28/11/2015 22:40, Richard Weinberger wrote:
>>> Am 28.11.2015 um 22:32 schrieb Mickaël Salaün:
 Replace the default insecure mode 0777 with 0700 for temporary file.

 Prohibit other users to change the executable mapped code.
>>>
>>> Hmm, isn't the tmp file already unlinked at this stage?
>>>
>>
>> Yes, but if someone could open it before the unlink e.g. because of the 
>> umask (which does not seems to be the case thanks to mkstemp, but remains 
>> unspecified [1]), this user should then be able to have write access to the 
>> file descriptor/description.
> 
> Yes, someone can open it before the unlink. But you change the file mode 
> after that.
> How does it improve the situation? The attacker has already the file handle.

The attacker could have the file handle only in a read-only mode, which is a 
bit different than being able to write and execute arbitrary code thanks to a 
file descriptor mapped RWX :)

 Mickaël



signature.asc
Description: OpenPGP digital signature

Re: [PATCH 1/2] um: Set secure access mode for temporary file

[Richard Weinberger]

Am 29.11.2015 um 00:00 schrieb Mickaël Salaün:
> 
> 
> On 28/11/2015 23:55, Richard Weinberger wrote:
>> Am 28.11.2015 um 23:52 schrieb Mickaël Salaün:
>>>
>>> On 28/11/2015 22:40, Richard Weinberger wrote:
 Am 28.11.2015 um 22:32 schrieb Mickaël Salaün:
> Replace the default insecure mode 0777 with 0700 for temporary file.
>
> Prohibit other users to change the executable mapped code.

 Hmm, isn't the tmp file already unlinked at this stage?

>>>
>>> Yes, but if someone could open it before the unlink e.g. because of the 
>>> umask (which does not seems to be the case thanks to mkstemp, but remains 
>>> unspecified [1]), this user should then be able to have write access to the 
>>> file descriptor/description.
>>
>> Yes, someone can open it before the unlink. But you change the file mode 
>> after that.
>> How does it improve the situation? The attacker has already the file handle.
> 
> The attacker could have the file handle only in a read-only mode, which is a 
> bit different than being able to write and execute arbitrary code thanks to a 
> file descriptor mapped RWX :)

Fair point. Please describe this in detail in the patch changelog. :-)

Thanks,
//richard
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [PATCH 1/2] um: Set secure access mode for temporary file

[Richard Weinberger]

Am 28.11.2015 um 23:52 schrieb Mickaël Salaün:
> 
> On 28/11/2015 22:40, Richard Weinberger wrote:
>> Am 28.11.2015 um 22:32 schrieb Mickaël Salaün:
>>> Replace the default insecure mode 0777 with 0700 for temporary file.
>>>
>>> Prohibit other users to change the executable mapped code.
>>
>> Hmm, isn't the tmp file already unlinked at this stage?
>>
> 
> Yes, but if someone could open it before the unlink e.g. because of the umask 
> (which does not seems to be the case thanks to mkstemp, but remains 
> unspecified [1]), this user should then be able to have write access to the 
> file descriptor/description.

Yes, someone can open it before the unlink. But you change the file mode after 
that.
How does it improve the situation? The attacker has already the file handle.

Thanks,
//richard
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [PATCH 1/2] um: Set secure access mode for temporary file

[Mickaël Salaün]

On 28/11/2015 22:40, Richard Weinberger wrote:
> Am 28.11.2015 um 22:32 schrieb Mickaël Salaün:
>> Replace the default insecure mode 0777 with 0700 for temporary file.
>>
>> Prohibit other users to change the executable mapped code.
> 
> Hmm, isn't the tmp file already unlinked at this stage?
> 

Yes, but if someone could open it before the unlink e.g. because of the umask 
(which does not seems to be the case thanks to mkstemp, but remains unspecified 
[1]), this user should then be able to have write access to the file 
descriptor/description.

 Mickaël

1. http://man7.org/linux/man-pages/man3/mkstemp.3.html#NOTES




signature.asc
Description: OpenPGP digital signature

[PATCH 1/2] um: Set secure access mode for temporary file

[Mickaël Salaün]

Replace the default insecure mode 0777 with 0700 for temporary file.

Prohibit other users to change the executable mapped code.

Signed-off-by: Mickaël Salaün 
---
 arch/um/os-Linux/mem.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/um/os-Linux/mem.c b/arch/um/os-Linux/mem.c
index 897e9ad..798aeb4 100644
--- a/arch/um/os-Linux/mem.c
+++ b/arch/um/os-Linux/mem.c
@@ -142,7 +142,7 @@ static int __init create_tmp_file(unsigned long long len)
if (fd < 0)
exit(1);
 
-   err = fchmod(fd, 0777);
+   err = fchmod(fd, 0700);
if (err < 0) {
perror("fchmod");
exit(1);
-- 
2.6.2

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [PATCH 1/2] um: Set secure access mode for temporary file

[Richard Weinberger]

Am 28.11.2015 um 22:32 schrieb Mickaël Salaün:
> Replace the default insecure mode 0777 with 0700 for temporary file.
> 
> Prohibit other users to change the executable mapped code.

Hmm, isn't the tmp file already unlinked at this stage?

Thanks,
//richard
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

[PATCH 1/2] um: Set secure access mode for temporary file

[Mickaël Salaün]

Replace the default insecure mode 0777 with 0700 for temporary file.

Prohibit other users to change the executable mapped code.

Signed-off-by: Mickaël Salaün 
---
 arch/um/os-Linux/mem.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/um/os-Linux/mem.c b/arch/um/os-Linux/mem.c
index 897e9ad..798aeb4 100644
--- a/arch/um/os-Linux/mem.c
+++ b/arch/um/os-Linux/mem.c
@@ -142,7 +142,7 @@ static int __init create_tmp_file(unsigned long long len)
if (fd < 0)
exit(1);
 
-   err = fchmod(fd, 0777);
+   err = fchmod(fd, 0700);
if (err < 0) {
perror("fchmod");
exit(1);
-- 
2.6.2

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [PATCH 1/2] um: Set secure access mode for temporary file

[Richard Weinberger]

Am 28.11.2015 um 22:32 schrieb Mickaël Salaün:
> Replace the default insecure mode 0777 with 0700 for temporary file.
> 
> Prohibit other users to change the executable mapped code.

Hmm, isn't the tmp file already unlinked at this stage?

Thanks,
//richard
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [PATCH 1/2] um: Set secure access mode for temporary file

[Richard Weinberger]

Am 29.11.2015 um 00:00 schrieb Mickaël Salaün:
> 
> 
> On 28/11/2015 23:55, Richard Weinberger wrote:
>> Am 28.11.2015 um 23:52 schrieb Mickaël Salaün:
>>>
>>> On 28/11/2015 22:40, Richard Weinberger wrote:
 Am 28.11.2015 um 22:32 schrieb Mickaël Salaün:
> Replace the default insecure mode 0777 with 0700 for temporary file.
>
> Prohibit other users to change the executable mapped code.

 Hmm, isn't the tmp file already unlinked at this stage?

>>>
>>> Yes, but if someone could open it before the unlink e.g. because of the 
>>> umask (which does not seems to be the case thanks to mkstemp, but remains 
>>> unspecified [1]), this user should then be able to have write access to the 
>>> file descriptor/description.
>>
>> Yes, someone can open it before the unlink. But you change the file mode 
>> after that.
>> How does it improve the situation? The attacker has already the file handle.
> 
> The attacker could have the file handle only in a read-only mode, which is a 
> bit different than being able to write and execute arbitrary code thanks to a 
> file descriptor mapped RWX :)

Fair point. Please describe this in detail in the patch changelog. :-)

Thanks,
//richard
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [PATCH 1/2] um: Set secure access mode for temporary file

[Richard Weinberger]

Am 28.11.2015 um 23:52 schrieb Mickaël Salaün:
> 
> On 28/11/2015 22:40, Richard Weinberger wrote:
>> Am 28.11.2015 um 22:32 schrieb Mickaël Salaün:
>>> Replace the default insecure mode 0777 with 0700 for temporary file.
>>>
>>> Prohibit other users to change the executable mapped code.
>>
>> Hmm, isn't the tmp file already unlinked at this stage?
>>
> 
> Yes, but if someone could open it before the unlink e.g. because of the umask 
> (which does not seems to be the case thanks to mkstemp, but remains 
> unspecified [1]), this user should then be able to have write access to the 
> file descriptor/description.

Yes, someone can open it before the unlink. But you change the file mode after 
that.
How does it improve the situation? The attacker has already the file handle.

Thanks,
//richard
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [PATCH 1/2] um: Set secure access mode for temporary file

[Mickaël Salaün]

On 28/11/2015 22:40, Richard Weinberger wrote:
> Am 28.11.2015 um 22:32 schrieb Mickaël Salaün:
>> Replace the default insecure mode 0777 with 0700 for temporary file.
>>
>> Prohibit other users to change the executable mapped code.
> 
> Hmm, isn't the tmp file already unlinked at this stage?
> 

Yes, but if someone could open it before the unlink e.g. because of the umask 
(which does not seems to be the case thanks to mkstemp, but remains unspecified 
[1]), this user should then be able to have write access to the file 
descriptor/description.

 Mickaël

1. http://man7.org/linux/man-pages/man3/mkstemp.3.html#NOTES




signature.asc
Description: OpenPGP digital signature

Re: [PATCH 1/2] um: Set secure access mode for temporary file

[Mickaël Salaün]

On 28/11/2015 23:55, Richard Weinberger wrote:
> Am 28.11.2015 um 23:52 schrieb Mickaël Salaün:
>>
>> On 28/11/2015 22:40, Richard Weinberger wrote:
>>> Am 28.11.2015 um 22:32 schrieb Mickaël Salaün:
 Replace the default insecure mode 0777 with 0700 for temporary file.

 Prohibit other users to change the executable mapped code.
>>>
>>> Hmm, isn't the tmp file already unlinked at this stage?
>>>
>>
>> Yes, but if someone could open it before the unlink e.g. because of the 
>> umask (which does not seems to be the case thanks to mkstemp, but remains 
>> unspecified [1]), this user should then be able to have write access to the 
>> file descriptor/description.
> 
> Yes, someone can open it before the unlink. But you change the file mode 
> after that.
> How does it improve the situation? The attacker has already the file handle.

The attacker could have the file handle only in a read-only mode, which is a 
bit different than being able to write and execute arbitrary code thanks to a 
file descriptor mapped RWX :)

 Mickaël



signature.asc
Description: OpenPGP digital signature