[Security] [PATCH 00/20] world-writable files in sysfs and debugfs
James Bottomley
James.Bottomley at suse.de
Tue Mar 15 12:32:31 EDT 2011
On Tue, 2011-03-15 at 19:08 +0300, Vasiliy Kulikov wrote:
> On Tue, Mar 15, 2011 at 07:50 -0400, James Bottomley wrote:
> > 1. Did anyone actually check for capabilities before assuming world
> > writeable files were wrong?
>
> I didn't check all these files as I haven't got these hardware :-)
You don't need the hardware to check ... the question becomes is a
capabilities test sitting in the implementation or not.
> But
> as I can "chmod a+w" all sysfs files on my machine and they all become
> sensible to nonroot writes, I suppose there is nothing preventing
> nonroot users from writing to these buggy sysfs files. As you can see,
> there are no capable() checks in these drivers in open() or write().
>
> > 2. Even if there aren't any capabilities checks in the implementing
> > routines, should there be (are we going the separated
> > capabilities route vs the monolithic root route)?
>
> IMO, In any case old good DAC security model must not be obsoleted just
> because someone thinks that MAC or anything else is more convenient for
> him. If sysfs is implemented via filesystem then it must support POSIX
> permissions semantic. MAC is very good in _some_ cases, but not instead
> of DAC.
Um, I'm not sure that's even an issue. capabilities have CAP_ADMIN
which is precisely the same check as owner == root. We use this a lot
because ioctls ignore the standard unix DAC model.
James
More information about the linux-arm-kernel
mailing list