[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CALCETrWGMfuoURG5cQsZ7gu1+zZoN5HWGjfFu6sZjHpPEprmEA@mail.gmail.com>
Date: Wed, 4 Nov 2015 10:17:06 -0800
From: Andy Lutomirski <luto@...capital.net>
To: Willy Tarreau <w@....eu>
Cc: Kees Cook <keescook@...omium.org>,
Dirk Steinmetz <public@...tdrjgfuzkfg.com>,
Michael Kerrisk-manpages <mtk.manpages@...il.com>,
Serge Hallyn <serge.hallyn@...ntu.com>,
Seth Forshee <seth.forshee@...onical.com>,
Alexander Viro <viro@...iv.linux.org.uk>,
Linux FS Devel <linux-fsdevel@...r.kernel.org>,
LKML <linux-kernel@...r.kernel.org>,
"Eric W . Biederman" <ebiederm@...ssion.com>,
Serge Hallyn <serge.hallyn@...onical.com>,
"security@...nel.org" <security@...nel.org>
Subject: Re: [RFC] namei: prevent sgid-hardlinks for unmapped gids
On Wed, Nov 4, 2015 at 10:15 AM, Willy Tarreau <w@....eu> wrote:
> On Wed, Nov 04, 2015 at 09:59:55AM -0800, Andy Lutomirski wrote:
>> On Tue, Nov 3, 2015 at 10:58 PM, Willy Tarreau <w@....eu> wrote:
>> > On Tue, Nov 03, 2015 at 03:29:55PM -0800, Kees Cook wrote:
>> >> Using "write" does kill the set-gid bit. I haven't looked at
>> >> why.
>> >> Al or anyone else, is there a meaningful distinction here?
>> >
>> > I remember this one, I got caught once while trying to put a shell into
>> > a suid-writable file to get some privileges someone forgot to offer me :-)
>> >
>> > It's done by should_remove_suid() which is called upon write() and truncate().
>> >
>> >> Should the
>> >> mmap MAP_SHARED-write trigger the loss of the set-gid bit too? While
>> >> holding the file open with either open or mmap, I get a Text-in-use
>> >> error, so I would kind of expect the same behavior between either
>> >> close() and munmap(). I wonder if this is a bug, and if so, then your
>> >> link patch is indeed useful again. :)
>> >
>> > I don't see how this could be done with mmap(). Maybe we have a way to know
>> > when the first write is performed via this path, I have no idea.
>>
>> do_wp_page might be a decent bet.
>
> Yep probably at the same place where we update the file's time ?
>
> That said I never feel completely comfortable with changing a file's
> permissions this way, I always fear it could break backup/restore
> applications. Let's imagine for a minute that a restore does this :
>
> extract(const char *file_name, int file_perms) {
> fd = open(".tmpfile", O_CREAT, file_perms);
> mmap(fd);
> /* actually write file */
> close(fd);
> unlink(real_file_name);
> rename(".tmpfile", file_name);
> }
>
> Yes I know it's not safe to do the chmod before writing to the file
> but we could imagine some situations where it makes sense to be done
> this way (eg: if the file is put into a protected directory), and
> anyway this possibility is provided by open() and creat() so it is
> legitimate to imagine these ones could exist.
>
> Such a change would slightly modify semantics and affect such use cases
> *if they exist*, just like using write() instead of mmap() would fail.
> We could imagine having a sysctl to disable this strengthening, but it
> is probably not the best solution for the long term either.
I'd say that this is an acceptable breakage risk. In any event, the
potential for data loss is limited to a bit of the file mode, and
restore apps like that really don't deserve to work in the first
place.
--Andy
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists