Issues with Linux kernel oplocks
J. Bruce Fields
bfields at fieldses.org
Tue Jul 23 14:32:16 MDT 2013
On Tue, Jul 23, 2013 at 01:25:52PM -0700, Jeremy Allison wrote:
> On Tue, Jul 23, 2013 at 03:35:12PM -0400, J. Bruce Fields wrote:
> >
> > >From 'man 2 fcntl':
> >
> > Sending a signal to the owner process (group) specified by
> > F_SETOWN is subject to the same permissions checks as are
> > described for kill(2), where the sending process is the one that
> > employs F_SETOWN (but see BUGS below).
> >
> > And 'man 2 kill':
> >
> > For a process to have permission to send a signal it must either
> > be privileged (under Linux: have the CAP_KILL capability), or
> > the real or effective user ID of the sending process must equal
> > the real or saved set-user-ID of the target process.
> >
> > I'm not sure what exactly the threat is here. (An unprivileged process
> > being able to trigger a signal to a privileged process sharing the same
> > file descriptor?) In any case it's clearly intentional.
>
> But that is *clearly* a bug w.r.t. leases. The whole point of
> leases is that if a process running under uid 123 opens a file and requests a lease,
> when a process owned by uid 345 tries to open that file then the original process
> *must* get a signal.
Sure, but...
> Neither process has to be privileged, neither
> process has to have changed uids.
>
> For leases to work this condition:
>
> "the real or effective user ID of the sending process must equal
> the real or saved set-user-ID of the target process."
>
> cannot be correct. Else you could only break leases between
> processes who are owned by the same uid - or from a privileged
> opener.
... you're confusing the lease-breaker and the lease-setter.
Note in the first quote above, "where the sending process is the one
that employs F_SETOWN". (Or equivalently, I think, F_SETLEASE.)
--b.
More information about the samba-technical
mailing list