From: Greg KH <greg@kroah.com>
To: Philipp Reisner <philipp.reisner@linbit.com>
Cc: linux-kernel@vger.kernel.org, netdev@vger.kernel.org,
Andrew Morton <akpm@linux-foundation.org>,
"David S. Miller" <davem@davemloft.net>,
dm-devel@redhat.com, Evgeniy Polyakov <zbr@ioremap.net>,
linux-fbdev-devel@lists.sourceforge.net
Subject: Re: [PATCH 0/8] SECURITY ISSUE with connector
Date: Fri, 2 Oct 2009 09:10:49 -0700 [thread overview]
Message-ID: <20091002161048.GA23044@kroah.com> (raw)
In-Reply-To: <200910021754.12940.philipp.reisner@linbit.com>
On Fri, Oct 02, 2009 at 05:54:12PM +0200, Philipp Reisner wrote:
> > On Fri, Oct 02, 2009 at 02:40:03PM +0200, Philipp Reisner wrote:
> > > Affected: All code that uses connector, in kernel and out of mainline
> > >
> > > The connector, as it is today, does not allow the in kernel receiving
> > > parts to do any checks on privileges of a message's sender.
> >
> > So, assume I know nothing about the connector architecture, what does
> > this mean in a security context?
> >
>
> Think of the connector as a layer on top of netlink that allows more
> than a hard coded number of subsystems to use netlink.
>
> Netlink is used e.g. to modify routing tables in the kernel.
>
> As it is today, subsystem utilising the connector can not examine
> the capabilities of the user/program that sent the netlink message.
>
> If the same would be true for netlink, than every unprivileged user
> could change the routing tables on your box.
>
> > > I know, there are not many out there that like connector, but as
> > > long as it is in the kernel, we have to fix the security issues it has!
> >
> > And what specifically are the security issues?
> >
>
> unprivileged users can trigger operations that are supposed to be only
> accessible to users having CAP_SYS_ADMIN (or some other CAP_XXX)
Ok, but it doesn't look like there are that many connector operations
right now, right?
Anyway, I have no objection to the patches, and figure they should go
through David's network tree.
thanks,
greg k-h
WARNING: multiple messages have this Message-ID (diff)
From: Greg KH <greg@kroah.com>
To: Philipp Reisner <philipp.reisner@linbit.com>
Cc: linux-fbdev-devel@lists.sourceforge.net, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org, dm-devel@redhat.com,
Evgeniy Polyakov <zbr@ioremap.net>,
Andrew Morton <akpm@linux-foundation.org>,
"David S. Miller" <davem@davemloft.net>
Subject: Re: [PATCH 0/8] SECURITY ISSUE with connector
Date: Fri, 2 Oct 2009 09:10:49 -0700 [thread overview]
Message-ID: <20091002161048.GA23044@kroah.com> (raw)
In-Reply-To: <200910021754.12940.philipp.reisner@linbit.com>
On Fri, Oct 02, 2009 at 05:54:12PM +0200, Philipp Reisner wrote:
> > On Fri, Oct 02, 2009 at 02:40:03PM +0200, Philipp Reisner wrote:
> > > Affected: All code that uses connector, in kernel and out of mainline
> > >
> > > The connector, as it is today, does not allow the in kernel receiving
> > > parts to do any checks on privileges of a message's sender.
> >
> > So, assume I know nothing about the connector architecture, what does
> > this mean in a security context?
> >
>
> Think of the connector as a layer on top of netlink that allows more
> than a hard coded number of subsystems to use netlink.
>
> Netlink is used e.g. to modify routing tables in the kernel.
>
> As it is today, subsystem utilising the connector can not examine
> the capabilities of the user/program that sent the netlink message.
>
> If the same would be true for netlink, than every unprivileged user
> could change the routing tables on your box.
>
> > > I know, there are not many out there that like connector, but as
> > > long as it is in the kernel, we have to fix the security issues it has!
> >
> > And what specifically are the security issues?
> >
>
> unprivileged users can trigger operations that are supposed to be only
> accessible to users having CAP_SYS_ADMIN (or some other CAP_XXX)
Ok, but it doesn't look like there are that many connector operations
right now, right?
Anyway, I have no objection to the patches, and figure they should go
through David's network tree.
thanks,
greg k-h
next prev parent reply other threads:[~2009-10-02 16:13 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-10-02 12:40 [PATCH 0/8] SECURITY ISSUE with connector Philipp Reisner
2009-10-02 12:40 ` [PATCH 1/8] connector: Keep the skb in cn_callback_data Philipp Reisner
2009-10-02 12:40 ` [PATCH 2/8] connector: Provide the sender's credentials to the callback Philipp Reisner
2009-10-02 12:40 ` [PATCH 3/8] connector/dm: Fixed a compilation warning Philipp Reisner
2009-10-02 12:40 ` [PATCH 4/8] connector: Removed the destruct_data callback since it is always kfree_skb() Philipp Reisner
2009-10-02 12:40 ` [PATCH 5/8] dm/connector: Only process connector packages from privileged processes Philipp Reisner
2009-10-02 12:40 ` [PATCH 6/8] dst/connector: Disallow unpliviged users to configure dst Philipp Reisner
2009-10-02 12:40 ` [PATCH 7/8] pohmelfs/connector: Disallow unpliviged users to configure pohmelfs Philipp Reisner
2009-10-02 12:40 ` [PATCH 8/8] uvesafb/connector: Disallow unpliviged users to send netlink packets Philipp Reisner
2009-10-02 16:40 ` [PATCH 5/8] dm/connector: Only process connector packages from privileged processes Jonathan Brassow
2009-10-02 13:58 ` [PATCH 0/8] SECURITY ISSUE with connector Greg KH
2009-10-02 15:54 ` Philipp Reisner
2009-10-02 15:54 ` Philipp Reisner
2009-10-02 16:10 ` Greg KH [this message]
2009-10-02 16:10 ` Greg KH
2009-10-02 16:57 ` David Miller
2009-10-02 16:57 ` David Miller
2009-10-02 16:21 ` Lars Ellenberg
2009-10-02 16:21 ` Lars Ellenberg
2009-10-02 17:56 ` David Miller
2009-10-02 18:00 ` Greg KH
2009-10-02 18:05 ` David Miller
2009-10-02 18:05 ` David Miller
2009-10-02 18:15 ` Greg KH
2009-10-04 10:24 ` Evgeniy Polyakov
2009-10-04 10:24 ` Evgeniy Polyakov
2009-10-09 22:25 ` Greg KH
2009-10-09 22:25 ` Greg KH
2009-10-13 9:28 ` [PATCH 0/7] SECURITY ISSUE with connector for 2.6.31.y Philipp Reisner
2009-10-13 9:28 ` [PATCH 1/7] connector: Keep the skb in cn_callback_data Philipp Reisner
2009-10-13 9:28 ` [PATCH 2/7] connector: Provide the sender's credentials to the callback Philipp Reisner
2009-10-13 9:28 ` [PATCH 3/7] connector: Removed the destruct_data callback since it is always kfree_skb() Philipp Reisner
2009-10-13 9:28 ` [PATCH 4/7] dm/connector: Only process connector packages from privileged processes Philipp Reisner
2009-10-13 9:28 ` [PATCH 5/7] dst/connector: Disallow unpliviged users to configure dst Philipp Reisner
2009-10-13 9:28 ` [PATCH 6/7] pohmelfs/connector: Disallow unpliviged users to configure pohmelfs Philipp Reisner
2009-10-13 9:28 ` [PATCH 7/7] uvesafb/connector: Disallow unpliviged users to send netlink packets Philipp Reisner
2009-10-13 16:25 ` [PATCH 0/7] SECURITY ISSUE with connector for 2.6.31.y Serge E. Hallyn
2009-10-15 18:29 ` Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20091002161048.GA23044@kroah.com \
--to=greg@kroah.com \
--cc=akpm@linux-foundation.org \
--cc=davem@davemloft.net \
--cc=dm-devel@redhat.com \
--cc=linux-fbdev-devel@lists.sourceforge.net \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=philipp.reisner@linbit.com \
--cc=zbr@ioremap.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.