[Pvfs2-developers] Possible IO exploit?

[Sam Lang]

On Jun 5, 2008, at 2:02 PM, David Bonnie wrote:

> Hey all -
>
> Nick and I are digging through the permissions checking in various  
> state
> machines and we're a little confused about something.  It seems that  
> both
> the truncate and io state machines do not check permissions unless  
> root
> squashing has been performed.  If it hasn't, the checks in-place now
> simply allow access.
>
> Is there any checking going on somewhere we aren't finding it?  Both  
> state
> machines use the PINT_SERVER_CHECK_NONE value in the server request
> parameters structure which seems to bypass all permissions checking
> entirely except for the root squashing case.  Right now the client- 
> side
> calls do a getattr before doing any io and thus get denied access if
> privileges don't match.

That's the only checking we do for IO.

>
>
> It seems like it'd be fairly easy to write a program that could  
> directly
> send io requests with any file handle to grab or overwrite data.

Even if we checked permissions for IO at the servers, its just as easy  
to write a program that sends a different uid.

>
>
> Is this something that just got overlooked or is there some kind of  
> check
> in place to prevent this?

The kernel module and daemon will perform the proper checks -- we do  
assume that code won't be compromised, but it can only be run as root,  
so if it is, the attacker already has root anyway.  Without auth/authz  
for requests, there's just no way to prevent the userspace apps from  
being modified to be malicious (even with root squash enabled).
-sam

>
>
> Thanks!
> - Dave
> _______________________________________________
> Pvfs2-developers mailing list
> Pvfs2-developers at beowulf-underground.org
> http://www.beowulf-underground.org/mailman/listinfo/pvfs2-developers