lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date:   Mon, 25 Mar 2019 19:17:43 -0400
From:   Igor Lubashev <ilubashe@...mai.com>
To:     Serge Hallyn <serge@...lyn.com>, James Morris <jmorris@...ei.org>,
        open list <linux-kernel@...r.kernel.org>,
        "open list : CAPABILITIES" <linux-security-module@...r.kernel.org>,
        Igor Lubashev <ilubashe@...mai.com>
Subject: [PATCH 0/1] RFC: security: add SECURE_KEEP_FSUID to preserve fsuid/fsgid across execve

This patch introduces SECURE_KEEP_FSUID to allow fsuid/fsgid to be
preserved across execve. I ran into a need for a patch trying to
implement a set-uid-root wrapper for perf.

My set-uid-root wrapper implements local policies, allowing only
certain users to run perf and only with certain arguments.

Perf, like a number of other kernel features, checks euid (and KASLR
access, required for perf top and perf report, also checks real uid)
in addition to checking capabilities.  Hence, I must execve perf from
my wrapper with root euid.

However, when I execve perf with root euid, it automatically obtains
root fsuid. This is very undesirable for a number of reasons:

1. 'perf record' will create perf.data file that cannot be deleted by
   the user.

2. 'perf record' becomes insecure, allowing the user an ability to
   overwrite any key file owned by root (and because of
   time-of-check/time-of-use principle, nothing I can check in the
   wrapper can reliably prevent the user from doing so).

3. 'perf report' can potentially read files that the user does not
   have permissions to read.


Perf and KASLR are not the only kernel features that check for root
uid/euid, so a general approach like the one in this patch seems
warranted.


This patch is the minimal set of changes required to achieve my goals.
However, I am wondering if we might want to go a bit further and have
a secure bit that stops fsuid/fsgid following euid/egid in all
contexts, including set*uid as well as ignoring uid/suid/euid in
setfsuid (and similarly for set*gid and setfsgid).

I will update man pages as needed.

Igor Lubashev (1):
  security: add SECURE_KEEP_FSUID to preserve fsuid/fsgid across execve

 include/uapi/linux/securebits.h | 10 +++++++++-
 security/commoncap.c            |  9 +++++++--
 2 files changed, 16 insertions(+), 3 deletions(-)

-- 
2.7.4

Powered by blists - more mailing lists