| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAKPOu+_vTuZqsBLfRH+kyphiWAtRfWq=nKAcAYu=Wn2JBAkkYg@mail.gmail.com> Date: Mon, 28 Apr 2025 13:43:43 +0200 From: Max Kellermann <max.kellermann@...os.com> To: "Serge E. Hallyn" <serge@...lyn.com> Cc: Andy Lutomirski <luto@...nel.org>, paul@...l-moore.com, jmorris@...ei.org, linux-security-module@...r.kernel.org, linux-kernel@...r.kernel.org Subject: Re: [PATCH] security/commoncap: don't assume "setid" if all ids are identical On Sun, Mar 9, 2025 at 4:19 PM Serge E. Hallyn <serge@...lyn.com> wrote: > > On Thu, Mar 06, 2025 at 09:26:15AM +0100, Max Kellermann wrote: > > If a program enables `NO_NEW_PRIVS` and sets up > > differing real/effective/saved/fs ids, the effective ids are > > downgraded during exec because the kernel believes it should "get no > > more than they had, and maybe less". > > > > I believe it is safe to keep differing ids even if `NO_NEW_PRIVS` is > > set. The newly executed program doesn't get any more, but there's no > > reason to give it less. > > > > This is different from "set[ug]id/setpcap" execution where privileges > > may be raised; here, the assumption that it's "set[ug]id" if > > effective!=real is too broad. > > > > If we verify that all user/group ids remain as they were, we can > > safely allow the new program to keep them. > > Thanks, it's an interesting point. Seems to mainly depend on what users > of the feature have come to expect. > > Andy, what do you think? Serge & Andy, what's your opinion on my patch?
Powered by blists - more mailing lists