|From:||Linus Torvalds <torvalds-AT-linux-foundation.org>|
|To:||Linus Torvalds <torvalds-AT-linux-foundation.org>, Paolo Bonzini <pbonzini-AT-redhat.com>, linux-kernel-AT-vger.kernel.org, security-AT-kernel.org, pmatouse-AT-redhat.com, agk-AT-redhat.com, jbottomley-AT-parallels.com, mchristi-AT-redhat.com, msnitzer-AT-redhat.com|
|Subject:||Re: [PATCH 2/3] block: fail SCSI passthrough ioctls on partition devices|
|Date:||Thu, 22 Dec 2011 16:07:46 -0800|
On Thu, Dec 22, 2011 at 3:48 PM, Alasdair G Kergon <email@example.com> wrote: > On Thu, Dec 22, 2011 at 02:25:56PM -0800, Linus Torvalds wrote: >> I don't *think* anybody does something as crazy as giving actual block >> device ownership to people, > > That can happen when running virtual machines backed by logical volumes. So my worry is not so much the security fix for the vm case, but simply normal people - who don't hit the issue to begin with - now being screwed because what their distro does no longer works. For example, I just traced it, and "eject /dev/sdb1" does a CDROMEJECT ioctl when used as the root user. I haven't tested the patch, but just reading it, I'd expect it to break that. And that's the *natural* way to eject a mounted device. Look at the USB memory sticks you have. They are almost all partitioned to have one partition, and that one partition doesn't cover the whole device. And it's that one partition you use to interact with it - it's what you mount, and what you eject. Breaking things like that is not an option. It's stuff people do every day. And there may be some very non-obvious reason that I don't see why it's not broken by this patch-series, but that's the kind of thing that I worry about. And I worry about it a *lot* more than I worry about some broken virtualization setup where you have system engineers that could patch their own kernel if they feel strongly about this. We simply *must*not* break things. I absolutely do not get the feeling that this has been tested so much and is so obvious that there is no risk of breakage. I suspect one thing that would be reasonable would be to just say "Root can do any ioctl's he damn well wants on a partial device". That would make me worry much less about the "normal" setup breaking where you don't give regular users direct access to partitions to begin with. But even that might not work reliably. Maybe the system deamon that actually does the eject (when a normal user does an eject) has been setguid to 'disk' instead, and isn't root. I don't know. I doubt you know either. Maybe some of them have fallback code to find the parent device. Do you know? Do you know that all do? I doubt it. Linus
Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds