sessiond: enforce user-exclusive session access in session_access_ok
The current session_access_ok logic disallows the access to a session
when:
uid != session->uid && gid != session->gid && uid != 0
This means that any user that is part of the same primary group as the
session's owner can access the session. The primary group is not
necessarily (and most likely) not the `tracing` group. Moreover, the
`tracing` group is not meant to provide shared access to sessions, but
to allow interactions with a root session daemon.
For instance:
- the session has uid = 1000, gid = 100
- the current user has uid = 1001, gid = 100
access to the session is granted.
This is way too broad and unexpected from most users as the LTTng
documentation never mentions this "primary group share tracing sessions"
behaviour. The documentation only alludes to the fact that separate
users have "their own set of sessions".
On most distributions, this change will have no impact as `useradd`
creates a new group for every user. Users will never share a primary
group and thus can't control each others' sessions.
However, it is not unusual to have users share a primary group (e.g.
`users`) and set the default umask to `0700`. In that case, there is no
expectation that every user will share files and there would be no
reasonable expectation that they should share all sessions.
For instance, it would be unexpected for one user to tear down the
sessions of other users with a single `lttng destroy -a` command.
If this type of session sharing is desirable to some users, then the
default umask of users could be checked or sessions could be created as
part of a group. However, in doubt, it is preferable to be strict.
This is not marked as a fix since this was most likely deliberate and
the change could, although unlikely, break existing deployment
scenarios.
Signed-off-by: Jérémie Galarneau <jeremie.galarneau@efficios.com>
Change-Id: I98f7ffb29d5f6dcb9d660535c1d3f5a1d1a68293
This page took 0.026394 seconds and 4 git commands to generate.