Re: [PATCH 1/2] um: Set secure access mode for temporary file
On 28/11/2015 23:55, Richard Weinberger wrote: > Am 28.11.2015 um 23:52 schrieb Mickaël Salaün: >> >> On 28/11/2015 22:40, Richard Weinberger wrote: >>> Am 28.11.2015 um 22:32 schrieb Mickaël Salaün: Replace the default insecure mode 0777 with 0700 for temporary file. Prohibit other users to change the executable mapped code. >>> >>> Hmm, isn't the tmp file already unlinked at this stage? >>> >> >> Yes, but if someone could open it before the unlink e.g. because of the >> umask (which does not seems to be the case thanks to mkstemp, but remains >> unspecified [1]), this user should then be able to have write access to the >> file descriptor/description. > > Yes, someone can open it before the unlink. But you change the file mode > after that. > How does it improve the situation? The attacker has already the file handle. The attacker could have the file handle only in a read-only mode, which is a bit different than being able to write and execute arbitrary code thanks to a file descriptor mapped RWX :) Mickaël signature.asc Description: OpenPGP digital signature
Re: [PATCH 1/2] um: Set secure access mode for temporary file
Am 29.11.2015 um 00:00 schrieb Mickaël Salaün: > > > On 28/11/2015 23:55, Richard Weinberger wrote: >> Am 28.11.2015 um 23:52 schrieb Mickaël Salaün: >>> >>> On 28/11/2015 22:40, Richard Weinberger wrote: Am 28.11.2015 um 22:32 schrieb Mickaël Salaün: > Replace the default insecure mode 0777 with 0700 for temporary file. > > Prohibit other users to change the executable mapped code. Hmm, isn't the tmp file already unlinked at this stage? >>> >>> Yes, but if someone could open it before the unlink e.g. because of the >>> umask (which does not seems to be the case thanks to mkstemp, but remains >>> unspecified [1]), this user should then be able to have write access to the >>> file descriptor/description. >> >> Yes, someone can open it before the unlink. But you change the file mode >> after that. >> How does it improve the situation? The attacker has already the file handle. > > The attacker could have the file handle only in a read-only mode, which is a > bit different than being able to write and execute arbitrary code thanks to a > file descriptor mapped RWX :) Fair point. Please describe this in detail in the patch changelog. :-) Thanks, //richard -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH 1/2] um: Set secure access mode for temporary file
Am 28.11.2015 um 23:52 schrieb Mickaël Salaün: > > On 28/11/2015 22:40, Richard Weinberger wrote: >> Am 28.11.2015 um 22:32 schrieb Mickaël Salaün: >>> Replace the default insecure mode 0777 with 0700 for temporary file. >>> >>> Prohibit other users to change the executable mapped code. >> >> Hmm, isn't the tmp file already unlinked at this stage? >> > > Yes, but if someone could open it before the unlink e.g. because of the umask > (which does not seems to be the case thanks to mkstemp, but remains > unspecified [1]), this user should then be able to have write access to the > file descriptor/description. Yes, someone can open it before the unlink. But you change the file mode after that. How does it improve the situation? The attacker has already the file handle. Thanks, //richard -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH 1/2] um: Set secure access mode for temporary file
On 28/11/2015 22:40, Richard Weinberger wrote: > Am 28.11.2015 um 22:32 schrieb Mickaël Salaün: >> Replace the default insecure mode 0777 with 0700 for temporary file. >> >> Prohibit other users to change the executable mapped code. > > Hmm, isn't the tmp file already unlinked at this stage? > Yes, but if someone could open it before the unlink e.g. because of the umask (which does not seems to be the case thanks to mkstemp, but remains unspecified [1]), this user should then be able to have write access to the file descriptor/description. Mickaël 1. http://man7.org/linux/man-pages/man3/mkstemp.3.html#NOTES signature.asc Description: OpenPGP digital signature
[PATCH 1/2] um: Set secure access mode for temporary file
Replace the default insecure mode 0777 with 0700 for temporary file. Prohibit other users to change the executable mapped code. Signed-off-by: Mickaël Salaün --- arch/um/os-Linux/mem.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/um/os-Linux/mem.c b/arch/um/os-Linux/mem.c index 897e9ad..798aeb4 100644 --- a/arch/um/os-Linux/mem.c +++ b/arch/um/os-Linux/mem.c @@ -142,7 +142,7 @@ static int __init create_tmp_file(unsigned long long len) if (fd < 0) exit(1); - err = fchmod(fd, 0777); + err = fchmod(fd, 0700); if (err < 0) { perror("fchmod"); exit(1); -- 2.6.2 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH 1/2] um: Set secure access mode for temporary file
Am 28.11.2015 um 22:32 schrieb Mickaël Salaün: > Replace the default insecure mode 0777 with 0700 for temporary file. > > Prohibit other users to change the executable mapped code. Hmm, isn't the tmp file already unlinked at this stage? Thanks, //richard -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH 1/2] um: Set secure access mode for temporary file
Replace the default insecure mode 0777 with 0700 for temporary file. Prohibit other users to change the executable mapped code. Signed-off-by: Mickaël Salaün--- arch/um/os-Linux/mem.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/um/os-Linux/mem.c b/arch/um/os-Linux/mem.c index 897e9ad..798aeb4 100644 --- a/arch/um/os-Linux/mem.c +++ b/arch/um/os-Linux/mem.c @@ -142,7 +142,7 @@ static int __init create_tmp_file(unsigned long long len) if (fd < 0) exit(1); - err = fchmod(fd, 0777); + err = fchmod(fd, 0700); if (err < 0) { perror("fchmod"); exit(1); -- 2.6.2 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH 1/2] um: Set secure access mode for temporary file
Am 28.11.2015 um 22:32 schrieb Mickaël Salaün: > Replace the default insecure mode 0777 with 0700 for temporary file. > > Prohibit other users to change the executable mapped code. Hmm, isn't the tmp file already unlinked at this stage? Thanks, //richard -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH 1/2] um: Set secure access mode for temporary file
Am 29.11.2015 um 00:00 schrieb Mickaël Salaün: > > > On 28/11/2015 23:55, Richard Weinberger wrote: >> Am 28.11.2015 um 23:52 schrieb Mickaël Salaün: >>> >>> On 28/11/2015 22:40, Richard Weinberger wrote: Am 28.11.2015 um 22:32 schrieb Mickaël Salaün: > Replace the default insecure mode 0777 with 0700 for temporary file. > > Prohibit other users to change the executable mapped code. Hmm, isn't the tmp file already unlinked at this stage? >>> >>> Yes, but if someone could open it before the unlink e.g. because of the >>> umask (which does not seems to be the case thanks to mkstemp, but remains >>> unspecified [1]), this user should then be able to have write access to the >>> file descriptor/description. >> >> Yes, someone can open it before the unlink. But you change the file mode >> after that. >> How does it improve the situation? The attacker has already the file handle. > > The attacker could have the file handle only in a read-only mode, which is a > bit different than being able to write and execute arbitrary code thanks to a > file descriptor mapped RWX :) Fair point. Please describe this in detail in the patch changelog. :-) Thanks, //richard -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH 1/2] um: Set secure access mode for temporary file
Am 28.11.2015 um 23:52 schrieb Mickaël Salaün: > > On 28/11/2015 22:40, Richard Weinberger wrote: >> Am 28.11.2015 um 22:32 schrieb Mickaël Salaün: >>> Replace the default insecure mode 0777 with 0700 for temporary file. >>> >>> Prohibit other users to change the executable mapped code. >> >> Hmm, isn't the tmp file already unlinked at this stage? >> > > Yes, but if someone could open it before the unlink e.g. because of the umask > (which does not seems to be the case thanks to mkstemp, but remains > unspecified [1]), this user should then be able to have write access to the > file descriptor/description. Yes, someone can open it before the unlink. But you change the file mode after that. How does it improve the situation? The attacker has already the file handle. Thanks, //richard -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH 1/2] um: Set secure access mode for temporary file
On 28/11/2015 22:40, Richard Weinberger wrote: > Am 28.11.2015 um 22:32 schrieb Mickaël Salaün: >> Replace the default insecure mode 0777 with 0700 for temporary file. >> >> Prohibit other users to change the executable mapped code. > > Hmm, isn't the tmp file already unlinked at this stage? > Yes, but if someone could open it before the unlink e.g. because of the umask (which does not seems to be the case thanks to mkstemp, but remains unspecified [1]), this user should then be able to have write access to the file descriptor/description. Mickaël 1. http://man7.org/linux/man-pages/man3/mkstemp.3.html#NOTES signature.asc Description: OpenPGP digital signature
Re: [PATCH 1/2] um: Set secure access mode for temporary file
On 28/11/2015 23:55, Richard Weinberger wrote: > Am 28.11.2015 um 23:52 schrieb Mickaël Salaün: >> >> On 28/11/2015 22:40, Richard Weinberger wrote: >>> Am 28.11.2015 um 22:32 schrieb Mickaël Salaün: Replace the default insecure mode 0777 with 0700 for temporary file. Prohibit other users to change the executable mapped code. >>> >>> Hmm, isn't the tmp file already unlinked at this stage? >>> >> >> Yes, but if someone could open it before the unlink e.g. because of the >> umask (which does not seems to be the case thanks to mkstemp, but remains >> unspecified [1]), this user should then be able to have write access to the >> file descriptor/description. > > Yes, someone can open it before the unlink. But you change the file mode > after that. > How does it improve the situation? The attacker has already the file handle. The attacker could have the file handle only in a read-only mode, which is a bit different than being able to write and execute arbitrary code thanks to a file descriptor mapped RWX :) Mickaël signature.asc Description: OpenPGP digital signature