Issues with Linux kernel oplocks

Jeremy Allison jra at samba.org
Tue Jul 23 14:25:52 MDT 2013


On Tue, Jul 23, 2013 at 03:35:12PM -0400, J. Bruce Fields wrote:
> 
> >From 'man 2 fcntl':
> 
> 	Sending a signal to the owner process (group) specified by
> 	F_SETOWN is subject to the same permissions checks as are
> 	described for kill(2), where the sending process is the one that
> 	employs F_SETOWN (but see BUGS below).
> 
> And 'man 2 kill':
> 
> 	For a process to have permission to send a signal it must either
> 	be privileged (under Linux: have the CAP_KILL capability), or
> 	the real or effective user ID of the sending process must equal
> 	the real or saved set-user-ID of the target process.
> 
> I'm not sure what exactly the threat is here.  (An unprivileged process
> being able to trigger a signal to a privileged process sharing the same
> file descriptor?)  In any case it's clearly intentional.

But that is *clearly* a bug w.r.t. leases. The whole point of
leases is that if a process running under uid 123 opens a file and requests a lease,
when a process owned by uid 345 tries to open that file then the original process
*must* get a signal. Neither process has to be privileged, neither
process has to have changed uids.

For leases to work this condition:

"the real or effective user ID of the sending process must equal
the real or saved set-user-ID of the target process."

cannot be correct. Else you could only break leases between
processes who are owned by the same uid - or from a privileged
opener.

Jeremy.


More information about the samba-technical mailing list