[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20170713003658.70b98278@alans-desktop>
Date: Thu, 13 Jul 2017 00:50:54 +0100
From: Alan Cox <gnomes@...rguk.ukuu.org.uk>
To: Linus Torvalds <torvalds@...ux-foundation.org>
Cc: Kees Cook <keescook@...omium.org>,
Andy Lutomirski <luto@...nel.org>,
Michal Hocko <mhocko@...nel.org>,
Ben Hutchings <ben@...adent.org.uk>, Willy Tarreau <w@....eu>,
Hugh Dickins <hughd@...gle.com>,
Oleg Nesterov <oleg@...hat.com>,
"Jason A. Donenfeld" <Jason@...c4.com>,
Rik van Riel <riel@...hat.com>,
Larry Woodman <lwoodman@...hat.com>,
"Kirill A. Shutemov" <kirill@...temov.name>,
Tony Luck <tony.luck@...el.com>,
"James E.J. Bottomley" <jejb@...isc-linux.org>,
Helge Diller <deller@....de>,
James Hogan <james.hogan@...tec.com>,
Laura Abbott <labbott@...hat.com>, Greg KH <greg@...ah.com>,
"security@...nel.org" <security@...nel.org>,
Qualys Security Advisory <qsa@...lys.com>,
LKML <linux-kernel@...r.kernel.org>,
Ximin Luo <infinity0@...ian.org>
Subject: Re: [RFC][PATCH] exec: Use init rlimits for setuid exec
> (a) minimal: just use our existing default stack (and stack _only_)
> limit value for suid binaries that actually get extra permissions: {
> _STK_LIM, RLIM_INFINITY }.
Even that is dangerous because a setuid binary can be transitioning
between two users (none privileged) yet be subject to an rlimit attack.
There's even less reason to believe that non root setuid binaries are
properly hardened than obvious targets. CPU limit attacks in particular
can be used to do some quite clever things.
Also consider a binary that is gaining some minor right (eg network
rights) being targetted because giving it extra permissions allows the
attacker to gain access to infinite resources when that clearly isn't the
intent.
> (c) perhaps encourage people to annotate their suid binaries with
> initial resource requirements (and for stack, I mean the existing
> GNU_STACK ELF annotation in particular).
Making this for setuid binaries only makes no sense. If a user can
annotate required resources and the execve() fails if those resources are
over the rlimit then that is a useful feature full stop, and there's no
reason to even make it setuid dependent.
Alan
Powered by blists - more mailing lists