[Pvfs2-developers] Possible IO exploit?
slang at mcs.anl.gov
Thu Jun 5 15:14:20 EDT 2008
On Jun 5, 2008, at 2:02 PM, David Bonnie wrote:
> Hey all -
> Nick and I are digging through the permissions checking in various
> machines and we're a little confused about something. It seems that
> the truncate and io state machines do not check permissions unless
> squashing has been performed. If it hasn't, the checks in-place now
> simply allow access.
> Is there any checking going on somewhere we aren't finding it? Both
> machines use the PINT_SERVER_CHECK_NONE value in the server request
> parameters structure which seems to bypass all permissions checking
> entirely except for the root squashing case. Right now the client-
> calls do a getattr before doing any io and thus get denied access if
> privileges don't match.
That's the only checking we do for IO.
> It seems like it'd be fairly easy to write a program that could
> send io requests with any file handle to grab or overwrite data.
Even if we checked permissions for IO at the servers, its just as easy
to write a program that sends a different uid.
> Is this something that just got overlooked or is there some kind of
> in place to prevent this?
The kernel module and daemon will perform the proper checks -- we do
assume that code won't be compromised, but it can only be run as root,
so if it is, the attacker already has root anyway. Without auth/authz
for requests, there's just no way to prevent the userspace apps from
being modified to be malicious (even with root squash enabled).
> - Dave
> Pvfs2-developers mailing list
> Pvfs2-developers at beowulf-underground.org
More information about the Pvfs2-developers