Issues with Linux kernel oplocks

J. Bruce Fields bfields at fieldses.org
Tue Jul 23 13:35:12 MDT 2013 

On Tue, Jul 23, 2013 at 02:06:04PM +0200, Ralph Wuerthner wrote:
> Hi,
> 
> we identified an interesting defect with Samba and Linux kernel oplocks:
> 
> Having Samba granted an oplock on a file to a CIFS client. Next a
> regular user space application running on the Samba system is trying
> to access the same file too. The regular procedure would be that the
> kernel sends a signal to the Samba process holding the kernel lease
> for this file. Samba would receive the signal and inform the CIFS
> client about the lease break and after receiving the client response
> return the lease for the file.
> 
> Unfortunately in our tests the Linux kernel does not always send the
> signal to the Samba process. It turned out that the kernel compares
> in sigio_perm() the lock/lease owner (fown) euid/uid with the
> thread's suid/uid who needs to receive the signal. If they don't
> match, no signal will be send. Because Samba is switching its uids
> back and forth this compare might fail and the signal will be not
> send.
> 
> In our particular tests Samba is requesting the lease with uid
> 11000500, making uid 11000500 the owner of the lease. If Samba is
> running as root when the signal comes the compare fails, the signal
> is not send and Samba cannot release the lease.
> 
> Any idea what would be the rational of this behaviour in the Linux
> kernel? Has somebody seen this before?

>From 'man 2 fcntl':

	Sending a signal to the owner process (group) specified by
	F_SETOWN is subject to the same permissions checks as are
	described for kill(2), where the sending process is the one that
	employs F_SETOWN (but see BUGS below).

And 'man 2 kill':

	For a process to have permission to send a signal it must either
	be privileged (under Linux: have the CAP_KILL capability), or
	the real or effective user ID of the sending process must equal
	the real or saved set-user-ID of the target process.

I'm not sure what exactly the threat is here.  (An unprivileged process
being able to trigger a signal to a privileged process sharing the same
file descriptor?)  In any case it's clearly intentional.

At the time you set up the oplock, couldn't you use F_SETOWN to direct
oplock-break signals to some dedicated thread that doesn't change uid?

--b.

More information about the samba-technical mailing list