[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20140327070126.41ac75ac@ipyr.poochiereds.net>
Date: Thu, 27 Mar 2014 07:01:26 -0700
From: Jeff Layton <jlayton@...hat.com>
To: Florian Weimer <fweimer@...hat.com>
Cc: Andy Lutomirski <luto@...capital.net>,
Jim Lieb <jlieb@...asas.com>,
"Eric W. Biederman" <ebiederm@...ssion.com>,
LSM List <linux-security-module@...r.kernel.org>,
"Serge E. Hallyn" <serge@...onical.com>,
Kees Cook <keescook@...omium.org>,
Linux FS Devel <linux-fsdevel@...r.kernel.org>,
"Theodore Ts'o" <tytso@....edu>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
bfields@...hat.com
Subject: Re: Thoughts on credential switching
On Thu, 27 Mar 2014 14:06:32 +0100
Florian Weimer <fweimer@...hat.com> wrote:
> On 03/27/2014 02:02 PM, Jeff Layton wrote:
>
> >> This interface does not address the long-term lack of POSIX
> >> compliance in setuid and friends, which are required to be
> >> process-global and not thread-specific (as they are on the kernel
> >> side).
> >>
> >> glibc works around this by reserving a signal and running set*id on
> >> every thread in a special signal handler. This is just crass, and
> >> it is likely impossible to restore the original process state in
> >> case of partial failure. We really need kernel support to perform
> >> the process-wide switch in an all-or-nothing manner.
> >>
> >
> > I disagree. We're treading new ground here with this syscall. It's
> > not defined by POSIX so we're under no obligation to follow its
> > silly directives in this regard. Per-process cred switching doesn't
> > really make much sense in this day and age, IMO. Wasn't part of the
> > spec was written before threading existed
>
> Okay, then we need to add a separate set of system calls.
>
> I really, really want to get rid of that signal handler mess in
> glibc, with its partial failures.
>
I agree, it's a hack, but hardly anyone these days really wants to
switch creds on a per-process basis. It's just that we're saddled with
a spec for those calls that was written before threads really existed.
The kernel syscalls already do the right thing as far as I'm concerned.
What would be nice however is a blessed glibc interface to them
that didn't involve all of the signal handling stuff. Then samba et. al.
wouldn't need to call syscall() directly to get at them.
> > The per-process credential switching is pretty universally a pain in
> > the ass for anyone who wants to write something like a threaded file
> > server. Jeremy Allison had to jump through some rather major hoops
> > to work around it for Samba [1]. I think we want to strive to make
> > this a per-task credential switch and ignore that part of the POSIX
> > spec.
>
> Yeah, I get that, setfsuid/setfsgid already behaves this way.
>
> (Current directory and umask are equally problematic, but it's
> possible to avoid most issues.)
>
> > That said, I think we will need to understand and document what we
> > expect to occur if someone does this new switch_creds(fd) call and
> > then subsequently calls something like setuid(), if only to ensure
> > that we don't get blindsided by it.
>
> Currently, from the kernel perspective, this is not really a problem
> because the credentials are always per-task. It's just that a
> conforming user space needs the process-wide credentials.
>
--
Jeff Layton <jlayton@...hat.com>
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists