[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <m1fx6ty6ds.fsf@fess.ebiederm.org>
Date: Tue, 29 Dec 2009 10:36:31 -0800
From: ebiederm@...ssion.com (Eric W. Biederman)
To: Bryan Donlan <bdonlan@...il.com>
Cc: "Serge E. Hallyn" <serue@...ibm.com>,
Michael Stone <michael@...top.org>,
linux-kernel@...r.kernel.org, netdev@...r.kernel.org,
linux-security-module@...r.kernel.org,
Andi Kleen <andi@...stfloor.org>, David Lang <david@...g.hm>,
Oliver Hartkopp <socketcan@...tkopp.net>,
Alan Cox <alan@...rguk.ukuu.org.uk>,
Herbert Xu <herbert@...dor.apana.org.au>,
Valdis Kletnieks <Valdis.Kletnieks@...edu>,
Evgeniy Polyakov <zbr@...emap.net>,
"C. Scott Ananian" <cscott@...ott.net>,
James Morris <jmorris@...ei.org>,
Bernie Innocenti <bernie@...ewiz.org>,
Mark Seaborn <mrs@...hic-beasts.com>,
Randy Dunlap <randy.dunlap@...cle.com>,
Américo Wang <xiyou.wangcong@...il.com>,
Tetsuo Handa <penguin-kernel@...ove.sakura.ne.jp>,
Samir Bellabes <sam@...ack.fr>,
Casey Schaufler <casey@...aufler-ca.com>,
Pavel Machek <pavel@....cz>, Al Viro <viro@...iv.linux.org.uk>
Subject: Re: RFC: disablenetwork facility. (v4)
Bryan Donlan <bdonlan@...il.com> writes:
> On Tue, Dec 29, 2009 at 11:39 AM, Serge E. Hallyn <serue@...ibm.com> wrote:
>> Quoting Bryan Donlan (bdonlan@...il.com):
>>> On Tue, Dec 29, 2009 at 10:11 AM, Serge E. Hallyn <serue@...ibm.com> wrote:
>>> > Eric, let me specifically point out a 'disable setuid-root'
>>> > problem on linux: root still owns most of the system even when
>>> > it's not privileged. So does "disable setuid-root" mean
>>> > we don't allow exec of setuid-root binaries at all, or that
>>> > we don't setuid to root, or that we just don't raise privileges
>>> > for setuid-root?
>>>
>>> I, for one, think it would be best to handle it exactly like the
>>> nosuid mount option - that is, pretend the file doesn't have any
>>> setuid bits set. There's no reason to deny execution; if the process
>>> would otherwise be able to execute it, it can also copy the file to
>>> make a non-suid version and execute that instead. And some programs
>>> can operate with reduced function without setuid. For example, screen
>>> comes to mind; it needs root to share screen sessions between multiple
>>> users, but can operate for a single user just fine without root, and
>>> indeed the latter is usually the default configuration.
>>
>> That's fine with me, seems safe for a fully unprivileged program to
>> use, and would make sense to do through one of the securebits set
>> with prctl(PR_SET_SECUREBITS).
>>
>> In addition, I assume we would also refuse to honor file capabilities?
>
> Yes - essentially a one-time switch saying "never allow me to gain
> capabilities again".
That is what I was thinking. Does setresuid case problems? Assuming
the application that drop permissions could have successfully
called setresuid?
Ignoring the bits instead of honoring them when execing an executable
makes sense as that is the existing precedent.
If it works prctl appears to be a fine interface.
Eric
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists