Re: [PATCH] ipc/mqueue.c: change __do_notify() to bypass check_kill_permission()
From: Oleg Nesterov
Date: Tue Mar 24 2020 - 16:08:56 EST
Meanwhile, let me send V2. I added the comment and updated the changelog.
On 03/24, Oleg Nesterov wrote:
>
> On 03/23, Eric W. Biederman wrote:
> >
> > So far what we have is a report Oleg has read somewhere that some
> > program doing something regressed, and his patch to fix that specific
> > program. This problem was not noticed for several years.
>
> Yes, this was reported on bugzilla.redhat.com, I'll add you to CC list.
>
> > Presumably the problem is that a message queue was written to by one
> > user and was read by another user to cause check_kill_permission to
> > fail. Can someone tell me if that was the case?
>
> I do not know. Yoji, did you hit this bug or did you find it by code
> inspection ?
>
> > So I am looking for something that makes it clear we are not removing
> > a permission checking and backporting a security hole.
>
> Yes, I thought about this too. I can be easily wrong, please correct me,
> but I came to conclusion the old behaviour (no permission check) is fine
> security-wise.
>
> > Further even if in the common case it is the right thing to do to remove
> > the permission check, the handling around exec looks bad enough that we
> > will be backporting a security hole if we don't fix that and backport
> > that at the same time.
>
> could you explain what exactly you do not like wrt mq_notify/exec ?
> I must have missed something.
>
> > p.s. I am grouchy as temporary fixes in this part of the code base
> > don't tend to be temporary and the entire signal/exec/ptrace world
> > is bordering on unmaintainble and incomprehensible as a result.
>
> Eric, please feel free to make another fix you like more. I know that
> I can't convince you anyway, I won't argue.
> Oleg.