Hello folks,
I'm curious if someone knows a way to do this using existing linux
interfaces.
I'd like to create a login lacking the ability to switch uid/gid.
Even if the process has access to suid executables like /bin/su, and
the user has the root password, I'd like the descendant processes of
their login to be simply incapable of changing uid/gid, even when it's
in the form of running a program w/suid bit set on an existing and
accessible executable in the filesystem. No matter what, it just
can't happen.
Do we have any such thing today? I'd really like to be able to set
this on a specific user and all logins of that user are simply stuck
on that uid no matter what.
Thanks in advance,
Vito Caputo
On Tue, May 12, 2020 at 02:45:24AM -0700, Vito Caputo wrote:
> Hello folks,
>
> I'm curious if someone knows a way to do this using existing linux
> interfaces.
>
> I'd like to create a login lacking the ability to switch uid/gid.
>
> Even if the process has access to suid executables like /bin/su, and
> the user has the root password, I'd like the descendant processes of
> their login to be simply incapable of changing uid/gid, even when it's
> in the form of running a program w/suid bit set on an existing and
> accessible executable in the filesystem. No matter what, it just
> can't happen.
>
> Do we have any such thing today? I'd really like to be able to set
> this on a specific user and all logins of that user are simply stuck
> on that uid no matter what.
>
Basically what I'm looking for is a convention for login-time
application of the PR_SET_NO_NEW_PRIVS prctl, do we have anything
formalized in userspace for this? We've got NoNewPrivileges in
systemd but it's not really user-oriented AFAIK...
Maybe lkml isn't the right place to pose this question, any pointers
appreciated though.
Cheers,
Vito Caputo
On Tue, May 12, 2020 at 03:44:08AM -0700, Vito Caputo wrote:
> On Tue, May 12, 2020 at 02:45:24AM -0700, Vito Caputo wrote:
> > Hello folks,
> >
> > I'm curious if someone knows a way to do this using existing linux
> > interfaces.
> >
> > I'd like to create a login lacking the ability to switch uid/gid.
> >
> > Even if the process has access to suid executables like /bin/su, and
> > the user has the root password, I'd like the descendant processes of
> > their login to be simply incapable of changing uid/gid, even when it's
> > in the form of running a program w/suid bit set on an existing and
> > accessible executable in the filesystem. No matter what, it just
> > can't happen.
> >
> > Do we have any such thing today? I'd really like to be able to set
> > this on a specific user and all logins of that user are simply stuck
> > on that uid no matter what.
> >
>
>
> Basically what I'm looking for is a convention for login-time
> application of the PR_SET_NO_NEW_PRIVS prctl, do we have anything
> formalized in userspace for this? We've got NoNewPrivileges in
> systemd but it's not really user-oriented AFAIK...
>
> Maybe lkml isn't the right place to pose this question, any pointers
> appreciated though.
>
For posterity and comment if interested, PAM seems like a reasonable
integration point for this but I don't see any existing support
currently:
https://github.com/linux-pam/linux-pam/issues/224
I'll quit talking to myself on lkml and head to sleep now :)
Regards,
Vito Caputo