| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250509201709.GA708015@mail.hallyn.com> Date: Fri, 9 May 2025 15:17:09 -0500 From: "Serge E. Hallyn" <serge@...lyn.com> To: Max Kellermann <max.kellermann@...os.com> Cc: "Eric W. Biederman" <ebiederm@...ssion.com>, sergeh@...nel.org, "Serge E. Hallyn" <serge@...lyn.com>, Andy Lutomirski <luto@...nel.org>, paul@...l-moore.com, jmorris@...ei.org, kees@...nel.org, morgan@...nel.org, linux-security-module@...r.kernel.org, linux-kernel@...r.kernel.org Subject: Re: [PATCH] security/commoncap: don't assume "setid" if all ids are identical On Fri, May 09, 2025 at 06:53:11PM +0200, Max Kellermann wrote: > On Fri, May 9, 2025 at 4:45 PM Eric W. Biederman <ebiederm@...ssion.com> wrote: > > In particular __is_setuid or __is_setgid being true guarantees > > that has_identical_uids_gids will be false. > > Sorry, no, that's completely wrong! > > __is_setXid() compares effective with real. > has_identical_uids_gids() compares effective with effective, real with real etc. > > See the difference? > > > Which means has_identical_uids_gids adds nothing, and the patch is > > pointless. > > Also wrong. If that were correct, then my patch would not have an > observable effect. But it does. Try it, try the small program I > posted! > > It seems your whole email is based on this misunderstanding. Please reconsider. > > > If your concern is LD_PRELOAD and the like please don't play with > > the uids/gids and instead just make certain bprm->secureexec gets > > set. > > LD_PRELOAD is not my concern at all. I just observed that the current Right, it is an aside, though an important one. > kernel behavior can annul the LD_PRELOAD/suid protection as > implemented in glibc. Hm, but no, it doesn't annul glibc's protection, right? The concern is that: a. musl doesn't implement LD_PRELOAD clearing b. with NNP, setuid-exec followed by setting NNP followed by exec, will lead to different behavior from non-NNP. In non-NNP, you'll continue to have euid=0, ruid=1000, and caps. With NNP, you'll have euid=ruid=1000, and still full caps. So, if someone is using NNP believing that it is a safe way to execute untrusted code with privilege, because they see they are now uid 1000, they will be confused. Worse, they are subject with musl to LD_PRELOAD from the user before setuid-root. So two things we can do are 1. have NNP drop privilege. 2. have NNP not force euid to be ruid. (1) sort of makes sense since you've bothered to use NNP, but as Max, who is a user of NNP, says, that is not the behavior that would be useful to him. It also leaves the non-NNP and NNP exec behavior - which is already - obviously - far too complicated - with yet more cases. (2) is concerning because it is a change in behavior for NNP users, but on the other hand, it leaves us with fewer special cases. At this point I'm kind of leaning towards (2), though with the obvious modification Max has already found should be added (for secureexec). > > I see no evidence > > in this conversation that anyone has surveyed the users of NO_NEW_PRIVS > > and verified how anyone actually uses it. Without such evidence we Max is such a user. I don't know what we can do to get input from more users. Perhaps scan the debian codebase results at https://codesearch.debian.net/search?q=NO_NEW_PRIVS&literal=1 I'll take a look through those in a bit. > > have to assume that userspace depends upon the current behavior. > > That's fine for me. But this behavior should be documented, because it > is rather surprising. > > (In any case, we will keep the patch in our kernel fork because we > need this part of the kernel to work properly. Our machines don't run > any code that depends on the buggy behavior.) > > Max
Powered by blists - more mailing lists