| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAKPOu+8Kc_2gs4FUhkGqjFDLZ+6AW2b93bqUd8o9vL8c_TriSg@mail.gmail.com> Date: Thu, 8 May 2025 08:38:09 +0200 From: Max Kellermann <max.kellermann@...os.com> To: "Andrew G. Morgan" <morgan@...nel.org> Cc: "Serge E. Hallyn" <serge@...lyn.com>, Andy Lutomirski <luto@...nel.org>, paul@...l-moore.com, jmorris@...ei.org, kees@...nel.org, linux-security-module@...r.kernel.org, linux-kernel@...r.kernel.org Subject: Re: [PATCH] security/commoncap: don't assume "setid" if all ids are identical On Thu, May 8, 2025 at 5:32 AM Andrew G. Morgan <morgan@...nel.org> wrote: > If a luser runs a setuid program, then the kernel will set this > bprm->secureexec bit. Indeed, every time this program re-exec's > itself, that bit will consistently be set. Today. > > However, with your change, that behavior will change. The first time > the program is exec'd by luser this bit will be set. However, it will > "surprisingly" not occur should the program exec itself again. I had covered this case in my previous email already. This flag is only used by begin_new_exec(), and the only consequence is resetting pdeath_signal (point 4) and stack limit reset (point 5). I thought both are no deal at all for the second exec - or are they? I don't know. > If you are unaware of this bit's purpose there is a nice writeup here: > > https://www.kernel.org/doc/html/v5.1/security/LSM.html I don't see this document describing the purpose anywhere. It only states that bprm_set_creds should set it "if a secure exec has happened" but doesn't say what a "secure exec" is, and doesn't say what is supposed to happen when it's set. Is it really a "secureexec" if executing a non-suid program while having effective!=real? (Currently: true, my patch: false) Is it really a "secureexec" if executing a suid program but no actual uid/gid changes occurred (no-op) because they're the same as before (and no capabilities raised)? (Currently: true, my patch: false) > See the "bprm_set_creds" paragraph. My concern is that there is an > exploit vector associated with an abuser setting LD_LIBRARY_PATH= to > something nefarious, and then invoking a setuid program that happens > to re-exec itself for some reason. The first invocation will be as > before, but when the binary re-exec's itself, I am concerned that this > could cause the privileged binary to load an exploit. How would resetting pdeath_signal and stack limit affect this problem? LD_LIBRARY_PATH is an environment variable that's used by the userspace linker, not by the kernel. Userspace doesn't have access to the "secureexec" flag. The usual protection against LD_LIBRARY_PATH/LD_PRELOAD attacks is that the glibc ld.so ignores (or removes?) these when it observes real!=effective. That check still works with my patch, and has nothing to do with the "secureexec" flag, does it? > This has nothing to do with your interest in NO_NEW_PRIV but more to > do with the legacy behavior changes like this are exposed to. Yes, I understand your worries, and I can limit my patch to the NO_NEW_PRIVS case, if you prefer that. But I think it is worth exploring the legacy behavior and see if there is really a problem (i.e. if there is really a userspace-visible effect), and if that legacy behavior really makes sense. To me, it seems like the legacy code doesn't make much sense; the checks for "secureexec" are wrong currently, and maybe we can fix this without adding more complexity, but by cutting unnecessary complexity away. Simpler code that is easier to understand is less likely to have vulnerabilities. Max
Powered by blists - more mailing lists