[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20250509201709.GA708015@mail.hallyn.com>
Date: Fri, 9 May 2025 15:17:09 -0500
From: "Serge E. Hallyn" <serge@...lyn.com>
To: Max Kellermann <max.kellermann@...os.com>
Cc: "Eric W. Biederman" <ebiederm@...ssion.com>, sergeh@...nel.org,
"Serge E. Hallyn" <serge@...lyn.com>,
Andy Lutomirski <luto@...nel.org>, paul@...l-moore.com,
jmorris@...ei.org, kees@...nel.org, morgan@...nel.org,
linux-security-module@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] security/commoncap: don't assume "setid" if all ids are
identical
On Fri, May 09, 2025 at 06:53:11PM +0200, Max Kellermann wrote:
> On Fri, May 9, 2025 at 4:45 PM Eric W. Biederman <ebiederm@...ssion.com> wrote:
> > In particular __is_setuid or __is_setgid being true guarantees
> > that has_identical_uids_gids will be false.
>
> Sorry, no, that's completely wrong!
>
> __is_setXid() compares effective with real.
> has_identical_uids_gids() compares effective with effective, real with real etc.
>
> See the difference?
>
> > Which means has_identical_uids_gids adds nothing, and the patch is
> > pointless.
>
> Also wrong. If that were correct, then my patch would not have an
> observable effect. But it does. Try it, try the small program I
> posted!
>
> It seems your whole email is based on this misunderstanding. Please reconsider.
>
> > If your concern is LD_PRELOAD and the like please don't play with
> > the uids/gids and instead just make certain bprm->secureexec gets
> > set.
>
> LD_PRELOAD is not my concern at all. I just observed that the current
Right, it is an aside, though an important one.
> kernel behavior can annul the LD_PRELOAD/suid protection as
> implemented in glibc.
Hm, but no, it doesn't annul glibc's protection, right?
The concern is that:
a. musl doesn't implement LD_PRELOAD clearing
b. with NNP, setuid-exec followed by setting NNP followed by exec,
will lead to different behavior from non-NNP. In non-NNP,
you'll continue to have euid=0, ruid=1000, and caps. With NNP,
you'll have euid=ruid=1000, and still full caps.
So, if someone is using NNP believing that it is a safe way to
execute untrusted code with privilege, because they see they
are now uid 1000, they will be confused. Worse, they are
subject with musl to LD_PRELOAD from the user before setuid-root.
So two things we can do are
1. have NNP drop privilege.
2. have NNP not force euid to be ruid.
(1) sort of makes sense since you've bothered to use NNP, but
as Max, who is a user of NNP, says, that is not the behavior
that would be useful to him. It also leaves the non-NNP and
NNP exec behavior - which is already - obviously - far too
complicated - with yet more cases.
(2) is concerning because it is a change in behavior for NNP
users, but on the other hand, it leaves us with fewer special
cases.
At this point I'm kind of leaning towards (2), though with the
obvious modification Max has already found should be added (for
secureexec).
> > I see no evidence
> > in this conversation that anyone has surveyed the users of NO_NEW_PRIVS
> > and verified how anyone actually uses it. Without such evidence we
Max is such a user. I don't know what we can do to get input from
more users. Perhaps scan the debian codebase results at
https://codesearch.debian.net/search?q=NO_NEW_PRIVS&literal=1
I'll take a look through those in a bit.
> > have to assume that userspace depends upon the current behavior.
>
> That's fine for me. But this behavior should be documented, because it
> is rather surprising.
>
> (In any case, we will keep the patch in our kernel fork because we
> need this part of the kernel to work properly. Our machines don't run
> any code that depends on the buggy behavior.)
>
> Max
Powered by blists - more mailing lists