| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 27 Mar 2014 06:02:24 -0700 From: Jeff Layton <jlayton@...hat.com> To: Florian Weimer <fweimer@...hat.com> Cc: Andy Lutomirski <luto@...capital.net>, Jim Lieb <jlieb@...asas.com>, "Eric W. Biederman" <ebiederm@...ssion.com>, LSM List <linux-security-module@...r.kernel.org>, "Serge E. Hallyn" <serge@...onical.com>, Kees Cook <keescook@...omium.org>, Linux FS Devel <linux-fsdevel@...r.kernel.org>, "Theodore Ts'o" <tytso@....edu>, "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>, bfields@...hat.com Subject: Re: Thoughts on credential switching On Thu, 27 Mar 2014 13:46:06 +0100 Florian Weimer <fweimer@...hat.com> wrote: > On 03/27/2014 01:23 AM, Andy Lutomirski wrote: > > > I propose the following set of new syscalls: > > > > int credfd_create(unsigned int flags): returns a new credfd that > > corresponds to current's creds. > > > > int credfd_activate(int fd, unsigned int flags): Change current's > > creds to match the creds stored in fd. To be clear, this changes > > both the "subjective" and "objective" (aka real_cred and cred) > > because there aren't any real semantics for what happens when > > userspace code runs with real_cred != cred. > > This interface does not address the long-term lack of POSIX > compliance in setuid and friends, which are required to be > process-global and not thread-specific (as they are on the kernel > side). > > glibc works around this by reserving a signal and running set*id on > every thread in a special signal handler. This is just crass, and it > is likely impossible to restore the original process state in case of > partial failure. We really need kernel support to perform the > process-wide switch in an all-or-nothing manner. > I disagree. We're treading new ground here with this syscall. It's not defined by POSIX so we're under no obligation to follow its silly directives in this regard. Per-process cred switching doesn't really make much sense in this day and age, IMO. Wasn't part of the spec was written before threading existed The per-process credential switching is pretty universally a pain in the ass for anyone who wants to write something like a threaded file server. Jeremy Allison had to jump through some rather major hoops to work around it for Samba [1]. I think we want to strive to make this a per-task credential switch and ignore that part of the POSIX spec. That said, I think we will need to understand and document what we expect to occur if someone does this new switch_creds(fd) call and then subsequently calls something like setuid(), if only to ensure that we don't get blindsided by it. [1]: http://sourceware.org/ml/libc-help/2012-07/msg00004.html -- Jeff Layton <jlayton@...hat.com> -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists