Re: 2.1.43 curious pipe-entries in / (root)

Kevin Buhr (
26 Jun 1997 11:39:06 -0500 (Alan Cox) writes:
> In which case we need to ensure sys_open() calls on them return -EINVAL
> as does sys_chown, sys_chmod, sys_fchown and anything else.

As a regular user:

1. An "open" call for read access and "read" calls work as "expected".
The user owning the pipe can suck the contents of the pipe out from
under the process. An "open" call for write (or read/write) access
returns ETXTBUSY, of all things.

I guess if the root partition is NFS exported (even read-only), we
could have a real security problem here with remote users sucking
out pipe contents, though I don't have the time to test this.
Also, if the NFS daemon (or some other program using sys_setfsuid)
creates an anonymous pipe at an inopportune moment, the pipe could
be compromised. Is there any more obvious way to exploit this? I
confess that I can't see one.

2. "chmod" calls work as expected.

3. "chown" and "chgrp" calls cause a kernel oops (!). My guess is that
this has something to do with "chown" and "chgrp" calls on things
that have existence in the dcache and nowhere else. This could be
a problem on filesystems using the new FS_IBASKET feature, so I'll
track this down when I get a minute.

The possible NFS-exploitation is probably enough to justify patching
this out. Should I send such a patch to Linus?

Kevin <>