xfs
[Top] [All Lists]

Re: [Security] XFS swapext ioctl minor security issues

To: Christoph Hellwig <hch@xxxxxxxxxxxxx>, xfs@xxxxxxxxxxx
Subject: Re: [Security] XFS swapext ioctl minor security issues
From: Dan Rosenberg <dan.j.rosenberg@xxxxxxxxx>
Date: Wed, 16 Jun 2010 09:07:10 -0400
Cc: Eugene Teo <eugeneteo@xxxxxxxxx>, aelder@xxxxxxx, security@xxxxxxxxxx
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type; bh=R7PXNlO4k6+9Ipqbl0Do1dO7fvP6KuAuEVbocSQRtQE=; b=HFmw2hAa/Fcl2VkC96Ij7j7p2sCdl/49WFnehzu2ESXCJXcOpmOdtv4MvNZPO5qKvN dtz5ZJFt+qC24DOjNPI4aHfZTvpILjYA2LwroaaTLTruWF+AzSdRYf9z89TVhwxPo1/S 4Kt2jOh+3pXefKgH410OI/qM416qVqj9vSqFs=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=kcpHaZ9+by9rEAwnWRSzbr438ezmZPZQLVdA/u/Wp9dDyDlPGD1c8NhykHwJrK0esm 8gQw/3VesM9SRkgcaqq71b9ulFcnmzO1434/m1AbLAt1Lcux8+0ZUO1hjq7r23emRCZb sF3wcW6rhdVuxxPw5NzT1pvsGpHHtLvQj18uQ=
In-reply-to: <20100616121142.GA22317@xxxxxxxxxxxxx>
References: <AANLkTilrwmh6n7yYkqyvy_y5-bgS-BEDept0WlLg5GE1@xxxxxxxxxxxxxx> <AANLkTikGFq8iv4S3QWp5ZCvXJsjuiP2tKweSl6QwHc6U@xxxxxxxxxxxxxx> <20100616121142.GA22317@xxxxxxxxxxxxx>
Sure thing.  This patch is against 2.6.34, but it appears that it can
apply to >= 2.6.25.  Let me know if you need a fix for < 2.6.25.

For those new to the conversation, this patch prevents user "foo" from
using the SWAPEXT ioctl to swap a write-only file owned by user "bar"
into a file owned by "foo" and subsequently reading it.  It does so by
checking that the file descriptors passed to the ioctl are also opened
for reading.  In addition, after swapping any suid/sgid bits should be
cleared.

-Dan

On Wed, Jun 16, 2010 at 8:11 AM, Christoph Hellwig <hch@xxxxxxxxxxxxx> wrote:
> Dan, can you please send your fixes to the XFS list so that we can
> include them?
>
>

Attachment: xfs-swapext-ioctl.patch
Description: Text Data

<Prev in Thread] Current Thread [Next in Thread>