Re: [security]: kernel ioctl()'s [3]

Theodore Y. Ts'o (tytso@mit.edu)
Thu, 1 Jul 1999 18:51:43 -0400

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Matthew Wilcox: "Re: Standard for module delivery"
Previous message: David Woodhouse: "Re: Standard for module delivery"
Maybe in reply to: Chris Evans: "[security]: kernel ioctl()'s [3]"

Date: Thu, 1 Jul 1999 20:53:11 +0100 (GMT)
From: Chris Evans <chris@ferret.lmh.ox.ac.uk>

There is what I would consider to be a minor logic error in the handling
of immutable in ext2's code.

Now that setting/removal of immutable/append only is a specific
capability, there is no reason user "fred" shouldn't be given this
capability so he can manage immutable/append only flag on his _own files_.

Unfortunately the current implementation allows processes with
CAP_IMMUTABLE to manipulate these flags on _any_ file.

Patch follows - Alan if you agree with the change in logic please apply to
next -ac patch? It's against ioctl.c in ext2 directory.

These seems reasonable to me. It doesn't change the behaviour of
non-capability systems, since root will have both CAP_IMMUTABLE and
CAP_FOWNER, so it can change the immutable flag on any file, and
in a non-capability system non-root processes will have neither
CAP_IMMUTABLE or CAP_FOWNER, so they won't be able to change the
immutable flag.

The patch allows someone to only be able to change the immutable flag on
their own files if they have CAP_IMMUTABLE, which seems like a
reasonable thing to do. It should get applied to the 2.3 tree, and
perhaps to the 2.2 tree (it really isn't a bug fix as much as it is a
new feature, although it's fairly low risk as new features go).

- Ted

--- ioctl.c.old Thu Jul 1 07:38:45 1999
+++ ioctl.c Thu Jul 1 07:40:12 1999
@@ -33,18 +33,17 @@
flags = flags & EXT2_FL_USER_MODIFIABLE;
/*
* The IMMUTABLE and APPEND_ONLY flags can only be changed by
- * the super user when the security level is zero.
+ * a process with the relevent capability.
*/
if ((flags & (EXT2_APPEND_FL | EXT2_IMMUTABLE_FL)) ^
(inode->u.ext2_i.i_flags &
- (EXT2_APPEND_FL | EXT2_IMMUTABLE_FL))) {
+ (EXT2_APPEND_FL | EXT2_IMMUTABLE_FL)))
/* This test looks nicer. Thanks to Pauline Middelink */
if (!capable(CAP_LINUX_IMMUTABLE))
return -EPERM;
- } else
- if ((current->fsuid != inode->i_uid) &&
- !capable(CAP_FOWNER))
- return -EPERM;
+
+ if ((current->fsuid != inode->i_uid) && !capable(CAP_FOWNER))
+ return -EPERM;
if (IS_RDONLY(inode))
return -EROFS;
inode->u.ext2_i.i_flags = (inode->u.ext2_i.i_flags &

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/

Next message: Matthew Wilcox: "Re: Standard for module delivery"
Previous message: David Woodhouse: "Re: Standard for module delivery"
Maybe in reply to: Chris Evans: "[security]: kernel ioctl()'s [3]"