Issues with Linux kernel oplocks
Jeremy Allison
jra at samba.org
Tue Jul 23 14:25:52 MDT 2013
On Tue, Jul 23, 2013 at 03:35:12PM -0400, J. Bruce Fields wrote:
>
> >From 'man 2 fcntl':
>
> Sending a signal to the owner process (group) specified by
> F_SETOWN is subject to the same permissions checks as are
> described for kill(2), where the sending process is the one that
> employs F_SETOWN (but see BUGS below).
>
> And 'man 2 kill':
>
> For a process to have permission to send a signal it must either
> be privileged (under Linux: have the CAP_KILL capability), or
> the real or effective user ID of the sending process must equal
> the real or saved set-user-ID of the target process.
>
> I'm not sure what exactly the threat is here. (An unprivileged process
> being able to trigger a signal to a privileged process sharing the same
> file descriptor?) In any case it's clearly intentional.
But that is *clearly* a bug w.r.t. leases. The whole point of
leases is that if a process running under uid 123 opens a file and requests a lease,
when a process owned by uid 345 tries to open that file then the original process
*must* get a signal. Neither process has to be privileged, neither
process has to have changed uids.
For leases to work this condition:
"the real or effective user ID of the sending process must equal
the real or saved set-user-ID of the target process."
cannot be correct. Else you could only break leases between
processes who are owned by the same uid - or from a privileged
opener.
Jeremy.
More information about the samba-technical
mailing list