lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 14 Jun 2019 15:09:43 +1000 (AEST) From: James Morris <jmorris@...ei.org> To: Igor Lubashev <ilubashe@...mai.com> cc: Serge Hallyn <serge@...lyn.com>, linux-security-module@...r.kernel.org, linux-kernel@...r.kernel.org Subject: Re: [RFC PATCH 0/1] security: add SECURE_KEEP_FSUID to preserve fsuid/fsgid across execve On Thu, 13 Jun 2019, Igor Lubashev wrote: > I've posted this in March but received no response. Reposting. > > This patch introduces SECURE_KEEP_FSUID to allow fsuid/fsgid to be > preserved across execve. It is currently impossible to execve a > program such that effective and filesystem uid differ. > > The need for this functionality arose from a desire to allow certain > non-privileged users to run perf. To do this, we install perf without > set-uid-root and have a set-uid-root wrapper decide who is allowed to > run perf (and with what arguments). > > The wrapper must execve perf with real and effective root uid, because > perf and KASLR require this. However, that presently resets fsuid to > root, giving the user ability to read and overwrite any file owned by > root (perf report -i, perf record -o). Also, perf record will create > perf.data that cannot be deleted by the user. > > We cannot reset /proc/sys/kernel/perf_event_paranoid to a permissive > level, since we must be selective which users have the permissions. > > Of course, we could fix our problem by a patch to perf to allow > passing a username on the command line and having perf execute > setfsuid before opening files. However, perf is not the only program > that uses kernel features that require root uid/euid, so a general > solution that does not involve updating all such programs seems > warranted. This seems like a very specific corner case, depending on fsuid!=0 for an euid=0 process, along with a whitelist policy for perf arguments. It would be a great way to escalate to root via a bug in an executed app or via a wrapper misconfiguration. It also adds complexity to kernel credential handling -- it's yet another thing to consider when trying to reason about this. Have you considered the example security configuration in Documentation/admin-guide/perf-security.rst ? What are some other examples of programs that could utilize this scheme? -- James Morris <jmorris@...ei.org>
Powered by blists - more mailing lists