| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 27 Mar 2014 07:01:26 -0700 From: Jeff Layton <jlayton@...hat.com> To: Florian Weimer <fweimer@...hat.com> Cc: Andy Lutomirski <luto@...capital.net>, Jim Lieb <jlieb@...asas.com>, "Eric W. Biederman" <ebiederm@...ssion.com>, LSM List <linux-security-module@...r.kernel.org>, "Serge E. Hallyn" <serge@...onical.com>, Kees Cook <keescook@...omium.org>, Linux FS Devel <linux-fsdevel@...r.kernel.org>, "Theodore Ts'o" <tytso@....edu>, "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>, bfields@...hat.com Subject: Re: Thoughts on credential switching On Thu, 27 Mar 2014 14:06:32 +0100 Florian Weimer <fweimer@...hat.com> wrote: > On 03/27/2014 02:02 PM, Jeff Layton wrote: > > >> This interface does not address the long-term lack of POSIX > >> compliance in setuid and friends, which are required to be > >> process-global and not thread-specific (as they are on the kernel > >> side). > >> > >> glibc works around this by reserving a signal and running set*id on > >> every thread in a special signal handler. This is just crass, and > >> it is likely impossible to restore the original process state in > >> case of partial failure. We really need kernel support to perform > >> the process-wide switch in an all-or-nothing manner. > >> > > > > I disagree. We're treading new ground here with this syscall. It's > > not defined by POSIX so we're under no obligation to follow its > > silly directives in this regard. Per-process cred switching doesn't > > really make much sense in this day and age, IMO. Wasn't part of the > > spec was written before threading existed > > Okay, then we need to add a separate set of system calls. > > I really, really want to get rid of that signal handler mess in > glibc, with its partial failures. > I agree, it's a hack, but hardly anyone these days really wants to switch creds on a per-process basis. It's just that we're saddled with a spec for those calls that was written before threads really existed. The kernel syscalls already do the right thing as far as I'm concerned. What would be nice however is a blessed glibc interface to them that didn't involve all of the signal handling stuff. Then samba et. al. wouldn't need to call syscall() directly to get at them. > > The per-process credential switching is pretty universally a pain in > > the ass for anyone who wants to write something like a threaded file > > server. Jeremy Allison had to jump through some rather major hoops > > to work around it for Samba [1]. I think we want to strive to make > > this a per-task credential switch and ignore that part of the POSIX > > spec. > > Yeah, I get that, setfsuid/setfsgid already behaves this way. > > (Current directory and umask are equally problematic, but it's > possible to avoid most issues.) > > > That said, I think we will need to understand and document what we > > expect to occur if someone does this new switch_creds(fd) call and > > then subsequently calls something like setuid(), if only to ensure > > that we don't get blindsided by it. > > Currently, from the kernel perspective, this is not really a problem > because the credentials are always per-task. It's just that a > conforming user space needs the process-wide credentials. > -- Jeff Layton <jlayton@...hat.com> -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists