Re: [PATCH 4/5] connector/cn_proc: Allow non-root users access

From: Anjali Kulkarni
Date: Thu Mar 09 2023 - 16:59:50 EST




________________________________________
From: Christian Brauner <brauner@xxxxxxxxxx>
Sent: Thursday, March 9, 2023 9:09 AM
To: Anjali Kulkarni
Cc: davem@xxxxxxxxxxxxx; edumazet@xxxxxxxxxx; kuba@xxxxxxxxxx; pabeni@xxxxxxxxxx; zbr@xxxxxxxxxxx; johannes@xxxxxxxxxxxxxxxx; ecree.xilinx@xxxxxxxxx; leon@xxxxxxxxxx; keescook@xxxxxxxxxxxx; socketcan@xxxxxxxxxxxx; petrm@xxxxxxxxxx; linux-kernel@xxxxxxxxxxxxxxx; netdev@xxxxxxxxxxxxxxx
Subject: Re: [PATCH 4/5] connector/cn_proc: Allow non-root users access

On Wed, Mar 08, 2023 at 07:19:52PM -0800, Anjali Kulkarni wrote:
> The patch allows non-root users to receive cn proc connector
> notifications, as anyone can normally get process start/exit status from
> /proc. The reason for not allowing non-root users to receive multicast
> messages is long gone, as described in this thread:
> https://urldefense.com/v3/__https://linux-kernel.vger.kernel.narkive.com/CpJFcnra/multicast-netlink-for-non-root-process__;!!ACWV5N9M2RV99hQ!NKjh44Qy5cy18bhIbdhHlHeA1w_i-N5u2PdbQPRTobAEUYW8ZiQ8hkOxaojiLWmq3POJ2k4DaD3CtyC9-C3Cnoo$

Sorry that thread is kinda convoluted. Could you please provide a
summary in the commit message and explain why this isn't an issue
anymore?

ANJALI> Will change commit message as follows:
There were a couple of reasons for not allowing non-root users access initially - one is there was "that at some point there was no proper receive buffer management in place for netlink multicast. But that should be long fixed." according to Andi Kleen & Alexey. Second is that some of the messages may contain data that is root only. But this should be handled with a finer granularity, which is being done at the protocol layer. The only problematic protocols are nf_queue and the firewall netlink, according to Andi. Hence, this restriction for non-root access was relaxed for rtnetlink initially (and subsequently for other protocols as well):
https://lore.kernel.org/all/20020612013101.A22399@xxxxxxxxxxxxx/
Since process connector messages are not sensitive (process fork, exit notifications etc.), and anyone can read /proc data, we can allow non-root access here too. Reason we need this change is we cannot run our DB application as root.