lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <202505151451.638C22B@keescook>
Date: Thu, 15 May 2025 15:09:48 -0700
From: Kees Cook <kees@...nel.org>
To: "Eric W. Biederman" <ebiederm@...ssion.com>
Cc: Max Kellermann <max.kellermann@...os.com>,
	"Serge E. Hallyn" <serge@...lyn.com>, paul@...l-moore.com,
	jmorris@...ei.org, Andy Lutomirski <luto@...nel.org>,
	morgan@...nel.org, Christian Brauner <christian@...uner.io>,
	Jann Horn <jannh@...gle.com>, linux-security-module@...r.kernel.org,
	linux-kernel@...r.kernel.org
Subject: Re: [PATCH] exec: Correct the permission check for unsafe exec

On Thu, May 15, 2025 at 11:24:47AM -0500, Eric W. Biederman wrote:
> I have condensed the logic from Linux-2.4.0-test12 to just:
> 	id_changed = !uid_eq(new->euid, old->euid) || !in_group_p(new->egid);
> 
> This change is userspace visible, but I don't expect anyone to care.
> [...]
> -static inline bool __is_setuid(struct cred *new, const struct cred *old)
> -{ return !uid_eq(new->euid, old->uid); }
> -
> -static inline bool __is_setgid(struct cred *new, const struct cred *old)
> -{ return !gid_eq(new->egid, old->gid); }
> -
> [...]
> -	is_setid = __is_setuid(new, old) || __is_setgid(new, old);
> +	id_changed = !uid_eq(new->euid, old->euid) || !in_group_p(new->egid);

The core change here is testing for differing euid rather than
mismatched uid/euid. (And checking for egid in the set of all groups.)

Imagined situations:

- setuid process is sharing fs. We already believe this is a non-issue,
  as Jann pointed out about Chrome's order of operations, so so changes
  here are likely fine.

- somehow ptracing a process with uid!=euid, and it tries to exec a
  different setuid==euid ELF. Is switching ELF images a security
  boundary? Probably not realistically.

- setuid process sets NNP and execs a setuid==euid ELF, expecting to
  have euid stripped. That doesn't happen any more. This is the most
  worrisome case, but a program like that should _really_ have dropped
  euid first if it is depending on that behavior. Hmmm. Probably some
  code searching is needed...

-Kees

-- 
Kees Cook

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ