From: Michal Hocko <mhocko@kernel.org>
To: linux-api@vger.kernel.org
Cc: Manfred Spraul <manfred@colorfullife.com>,
Andrew Morton <akpm@linux-foundation.org>,
Al Viro <viro@zeniv.linux.org.uk>,
Kees Cook <keescook@chromium.org>,
Linus Torvalds <torvalds@linux-foundation.org>,
Mike Waychison <mikew@google.com>,
LKML <linux-kernel@vger.kernel.org>,
linux-mm@kvack.org
Subject: shmctl(SHM_STAT) vs. /proc/sysvipc/shm permissions discrepancies
Date: Tue, 19 Dec 2017 10:48:48 +0100 [thread overview]
Message-ID: <20171219094848.GE2787@dhcp22.suse.cz> (raw)
Hi,
we have been contacted by our partner about the following permission
discrepancy
1. Create a shared memory segment with permissions 600 with user A using
shmget(key, 1024, 0600 | IPC_CREAT)
2. ipcs -m should return an output as follows:
------ Shared Memory Segments --------
key shmid owner perms bytes nattch status
0x58b74326 759562241 A 600 1024 0
3. Try to read the metadata with shmctl(0, SHM_STAT,...) as user B.
4. shmctl will return -EACCES
The supper set information provided by shmctl can be retrieved by
reading /proc/sysvipc/shm which does not require read permissions
because it is 444.
It seems that the discrepancy is there since ae7817745eef ("[PATCH] ipc:
add generic struct ipc_ids seq_file iteration") when the proc interface
has been introduced. The changelog is really modest on information or
intention but I suspect this just got overlooked during review. SHM_STAT
has always been about read permission and it is explicitly documented
that way.
I am not a security expert to judge whether this leak can have some
interesting consequences but I am really interested whether this is
something we want to keep that way. Do we want to filter and dump only
shmids the caller has access to? This would break the delegation AFAICS.
Do we want to make the file root only? That would probably break an
existing userspace as well.
Or should we simply allow SHM_STAT for processes without a read permission
because the same information can be read by other means already?
Any other ideas?
--
Michal Hocko
SUSE Labs
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
next reply other threads:[~2017-12-19 9:48 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-12-19 9:48 Michal Hocko [this message]
2017-12-19 16:45 ` Michael Kerrisk (man-pages)
2017-12-20 9:20 ` Michal Hocko
2017-12-20 16:17 ` Michael Kerrisk (man-pages)
2017-12-21 8:02 ` Michal Hocko
2017-12-21 8:56 ` Michael Kerrisk (man-pages)
2018-02-12 17:30 ` Davidlohr Bueso
2017-12-20 8:32 ` Dr. Manfred Spraul
2017-12-20 8:44 ` Michael Kerrisk (man-pages)
2017-12-20 9:13 ` Michal Hocko
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171219094848.GE2787@dhcp22.suse.cz \
--to=mhocko@kernel.org \
--cc=akpm@linux-foundation.org \
--cc=keescook@chromium.org \
--cc=linux-api@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=manfred@colorfullife.com \
--cc=mikew@google.com \
--cc=torvalds@linux-foundation.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox