Re: Further shmctl() SHM_LOCK strangeness

[Michael Kerrisk]

Rik,

> On Wed, 24 Nov 2004, Hugh Dickins wrote:
> 
> >> regardles of the segment's ownership or permissions,
> >> providing the size of the segment falls within the
> >> process's RLIMIT_MEMLOCK limit.
> 
> > Offhand I find it hard to grasp whether it's harmless or bad,
> > but inclined to think bad - if there happen to be lots of small
> > enough shared memory segments on the system, a series of processes
> > run by one unprivileged user can lock down lots of memory?
> 
> Mlocking and munlocking of shm segments is accounted
> against the user_struct, not against the process.
> 
> This should stop any malicious exploits.

As noted by Hugh, the problem also applies for
SHM_UNLOCK: anyone can unlock any System V shared 
memory segment.  If our reason for locking memory 
was security (no swapping), then this does allow
for exploits.

(Also, I just want to reemphasise that these semantics
are inconsistent with the types of ownership and 
permission checking performed for just about 
every other kind of System V "ctl" operation.)

Cheers,

Michael

-- 
Geschenkt: 3 Monate GMX ProMail + 3 Top-Spielfilme auf DVD
++ Jetzt kostenlos testen http://www.gmx.net/de/go/mail ++
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/