Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S965741AbbKDSR3 (ORCPT ); Wed, 4 Nov 2015 13:17:29 -0500 Received: from mail-oi0-f42.google.com ([209.85.218.42]:33770 "EHLO mail-oi0-f42.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755258AbbKDSR0 (ORCPT ); Wed, 4 Nov 2015 13:17:26 -0500 MIME-Version: 1.0 In-Reply-To: <20151104181519.GC22318@1wt.eu> References: <1446511187-9131-1-git-send-email-public@rsjtdrjgfuzkfg.com> <20151104002132.010ccd1d@rsjtdrjgfuzkfg.com> <20151104065820.GF21740@1wt.eu> <20151104181519.GC22318@1wt.eu> From: Andy Lutomirski Date: Wed, 4 Nov 2015 10:17:06 -0800 Message-ID: Subject: Re: [RFC] namei: prevent sgid-hardlinks for unmapped gids To: Willy Tarreau Cc: Kees Cook , Dirk Steinmetz , Michael Kerrisk-manpages , Serge Hallyn , Seth Forshee , Alexander Viro , Linux FS Devel , LKML , "Eric W . Biederman" , Serge Hallyn , "security@kernel.org" Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2805 Lines: 62 On Wed, Nov 4, 2015 at 10:15 AM, Willy Tarreau wrote: > On Wed, Nov 04, 2015 at 09:59:55AM -0800, Andy Lutomirski wrote: >> On Tue, Nov 3, 2015 at 10:58 PM, Willy Tarreau wrote: >> > On Tue, Nov 03, 2015 at 03:29:55PM -0800, Kees Cook wrote: >> >> Using "write" does kill the set-gid bit. I haven't looked at >> >> why. >> >> Al or anyone else, is there a meaningful distinction here? >> > >> > I remember this one, I got caught once while trying to put a shell into >> > a suid-writable file to get some privileges someone forgot to offer me :-) >> > >> > It's done by should_remove_suid() which is called upon write() and truncate(). >> > >> >> Should the >> >> mmap MAP_SHARED-write trigger the loss of the set-gid bit too? While >> >> holding the file open with either open or mmap, I get a Text-in-use >> >> error, so I would kind of expect the same behavior between either >> >> close() and munmap(). I wonder if this is a bug, and if so, then your >> >> link patch is indeed useful again. :) >> > >> > I don't see how this could be done with mmap(). Maybe we have a way to know >> > when the first write is performed via this path, I have no idea. >> >> do_wp_page might be a decent bet. > > Yep probably at the same place where we update the file's time ? > > That said I never feel completely comfortable with changing a file's > permissions this way, I always fear it could break backup/restore > applications. Let's imagine for a minute that a restore does this : > > extract(const char *file_name, int file_perms) { > fd = open(".tmpfile", O_CREAT, file_perms); > mmap(fd); > /* actually write file */ > close(fd); > unlink(real_file_name); > rename(".tmpfile", file_name); > } > > Yes I know it's not safe to do the chmod before writing to the file > but we could imagine some situations where it makes sense to be done > this way (eg: if the file is put into a protected directory), and > anyway this possibility is provided by open() and creat() so it is > legitimate to imagine these ones could exist. > > Such a change would slightly modify semantics and affect such use cases > *if they exist*, just like using write() instead of mmap() would fail. > We could imagine having a sysctl to disable this strengthening, but it > is probably not the best solution for the long term either. I'd say that this is an acceptable breakage risk. In any event, the potential for data loss is limited to a bit of the file mode, and restore apps like that really don't deserve to work in the first place. --Andy -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/