Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753828AbbLDQNQ (ORCPT ); Fri, 4 Dec 2015 11:13:16 -0500 Received: from mail-ig0-f176.google.com ([209.85.213.176]:37827 "EHLO mail-ig0-f176.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753630AbbLDQNN convert rfc822-to-8bit (ORCPT ); Fri, 4 Dec 2015 11:13:13 -0500 MIME-Version: 1.0 In-Reply-To: <5661AC50.3070300@gmail.com> References: <3721cd96525af4cb0a671e9a36ac6402c8e5379a.1446594067.git.luto@kernel.org> <5661AC50.3070300@gmail.com> From: Andy Lutomirski Date: Fri, 4 Dec 2015 08:12:53 -0800 Message-ID: Subject: Re: [PATCH v3] capabilities.7, prctl.2: Document ambient capabilities To: "Michael Kerrisk (man-pages)" Cc: Andy Lutomirski , Serge Hallyn , Andrew Morton , Jarkko Sakkinen , "Ted Ts'o" , "Andrew G. Morgan" , Linux API , Mimi Zohar , Austin S Hemmelgarn , linux-security-module , Aaron Jones , Serge Hallyn , LKML , Markku Savela , Jonathan Corbet Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8BIT Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 4442 Lines: 116 On Fri, Dec 4, 2015 at 7:08 AM, Michael Kerrisk (man-pages) wrote: > Hi Andy, > > I have applied your patch (below). Thanks for writing it. > But I have a question or two and a request. > > === > > In the capabilities(7) page tehre is the longstanding text: > > An application can use the following call to lock itself, and > all of its descendants, into an environment where the only way > of gaining capabilities is by executing a program with associ‐ > ated file capabilities: > > prctl(PR_SET_SECUREBITS, > SECBIT_KEEP_CAPS_LOCKED | > SECBIT_NO_SETUID_FIXUP | > SECBIT_NO_SETUID_FIXUP_LOCKED | > SECBIT_NOROOT | > SECBIT_NOROOT_LOCKED); > > As far as I can estimate, no changes are needed here to include > SECBIT_NO_CAP_AMBIENT_RAISE and SECBIT_NO_CAP_AMBIENT_RAISE_LOCKED > in the above prctl() call, but could you confirm please? Correct. I'll probably write up a patch to suggest that doing this is a poor idea on a conventional distro, though, and I'll explain why. I suppose than deleting this would be an option, too. > > === > > In the message for kernel commit > 58319057b7847667f0c9585b9de0e8932b0fdb08 > you included this text: > > [[ > Because capability inheritance is so > broken, setting KEEPCAPS, using setresuid to switch to nonroot uids, and > then calling execve effectively drops capabilities. Therefore, > setresuid from root to nonroot conditionally clears pA unless > SECBIT_NO_SETUID_FIXUP is set. Processes that don't like this can > re-add bits to pA afterwards. > ]] > > I'm struggling to understand the significance of this text, > especially as your man-pages patch makes no mention of this point. > > The thing is, that text ("Therefore...") implies that there's > something special going on beyond the rules already documented > elsewhere. I mean, according to the rules aly documented elsewhere > in the page: Whoops, I forgot to add that to the manpage. > > (1) If a process with UIDs of 0 sets all its UIDs > nonzero, then, the permitted and effective sets are cleared > (that's the classical behavior), and because the permitted > set is cleared, then so is the ambient set. > > (2) And if we set SECBIT_NO_SETUID_FIXUP then > a UID 0 ==> nonzero transition doesn't clear permitted and > effective sets, and then of course the ambient set is not > cleared. > > So, what additional point were you meaning to convey in > the commit message? (Maybe it was just cruft in the commit > message, but if not, can you explain precisely the arguments > for setresuid() that are supposed to generate the special > behavior described by the above text.) It's case (1b), which is like (1) but with KEEPCAPS set. The permitted set doesn't get cleared, but the ambient set is still cleared. I'll write a manpage patch. --Andy > > === > > I did quite a bit of tweaking of the text that you added for > the capabilities page. Could you please check the following > to make sure I added no errors: > > Ambient (since Linux 4.3): > This is a set of capabilities that are preserved across > an execve(2) of a program that is not privileged. The > ambient capability set obeys the invariant that no capa‐ > bility can ever be ambient if it is not both permitted > and inheritable. > > The ambient capability set can be directly modified > using prctl(2). Ambient capabilities are automatically > lowered if either of the corresponding permitted or > inheritable capabilities is lowered. > > Executing a program that changes UID or GID due to the > set-user-ID or set-group-ID bits or executing a program > that has any file capabilities set will clear the ambi‐ > ent set. Ambient capabilities are added to the permit‐ > ted set and assigned to the effective set when execve(2) > is called. Looks good (other than the preexisting gotcha above). --Andy -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/