lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <aCeyyly3NFSvsZYN@lei>
Date: Fri, 16 May 2025 21:48:58 +0000
From: sergeh@...nel.org
To: Kees Cook <kees@...nel.org>
Cc: "Eric W. Biederman" <ebiederm@...ssion.com>,
	Max Kellermann <max.kellermann@...os.com>,
	"Serge E. Hallyn" <serge@...lyn.com>, paul@...l-moore.com,
	jmorris@...ei.org, Andy Lutomirski <luto@...nel.org>,
	morgan@...nel.org, Christian Brauner <christian@...uner.io>,
	Jann Horn <jannh@...gle.com>, linux-security-module@...r.kernel.org,
	linux-kernel@...r.kernel.org
Subject: Re: [PATCH] exec: Correct the permission check for unsafe exec

On Thu, May 15, 2025 at 03:09:48PM -0700, Kees Cook wrote:
> On Thu, May 15, 2025 at 11:24:47AM -0500, Eric W. Biederman wrote:
> > I have condensed the logic from Linux-2.4.0-test12 to just:
> > 	id_changed = !uid_eq(new->euid, old->euid) || !in_group_p(new->egid);
> > 
> > This change is userspace visible, but I don't expect anyone to care.
> > [...]
> > -static inline bool __is_setuid(struct cred *new, const struct cred *old)
> > -{ return !uid_eq(new->euid, old->uid); }
> > -
> > -static inline bool __is_setgid(struct cred *new, const struct cred *old)
> > -{ return !gid_eq(new->egid, old->gid); }
> > -
> > [...]
> > -	is_setid = __is_setuid(new, old) || __is_setgid(new, old);
> > +	id_changed = !uid_eq(new->euid, old->euid) || !in_group_p(new->egid);
> 
> The core change here is testing for differing euid rather than
> mismatched uid/euid. (And checking for egid in the set of all groups.)
> 
> Imagined situations:
> 
> - setuid process is sharing fs. We already believe this is a non-issue,
>   as Jann pointed out about Chrome's order of operations, so so changes
>   here are likely fine.
> 
> - somehow ptracing a process with uid!=euid, and it tries to exec a
>   different setuid==euid ELF. Is switching ELF images a security
>   boundary? Probably not realistically.
> 
> - setuid process sets NNP and execs a setuid==euid ELF, expecting to
>   have euid stripped. That doesn't happen any more. This is the most

Yeah, that had been my first concern: that nnp users will have learned
about and therefore started depending upon this behavior.  But right
now while euid gets stripped, capabilities do not, so the current
situation is actually far more unsafe.

>   worrisome case, but a program like that should _really_ have dropped
>   euid first if it is depending on that behavior. Hmmm. Probably some
>   code searching is needed...

I had started looking through the debian code search, but didn't finish.
Mostly saw util-linux and systemd...

> -Kees
> 
> -- 
> Kees Cook

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ