Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752845AbdGFFXz (ORCPT ); Thu, 6 Jul 2017 01:23:55 -0400 Received: from wtarreau.pck.nerim.net ([62.212.114.60]:32807 "EHLO 1wt.eu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750977AbdGFFXy (ORCPT ); Thu, 6 Jul 2017 01:23:54 -0400 Date: Thu, 6 Jul 2017 07:23:21 +0200 From: Willy Tarreau To: Andy Lutomirski Cc: Kees Cook , Linus Torvalds , Michal Hocko , Ben Hutchings , Hugh Dickins , Oleg Nesterov , "Jason A. Donenfeld" , Rik van Riel , Larry Woodman , "Kirill A. Shutemov" , Tony Luck , "James E.J. Bottomley" , Helge Diller , James Hogan , Laura Abbott , Greg KH , "security@kernel.org" , Qualys Security Advisory , LKML , Ximin Luo Subject: Re: [PATCH] mm: larger stack guard gap, between vmas Message-ID: <20170706052321.GA25439@1wt.eu> References: <20170704113611.GA4732@decadent.org.uk> <1499209315.2707.29.camel@decadent.org.uk> <1499257180.2707.34.camel@decadent.org.uk> <20170705142354.GB21220@dhcp22.suse.cz> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.6.1 (2016-04-27) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1241 Lines: 24 On Wed, Jul 05, 2017 at 05:19:47PM -0700, Andy Lutomirski wrote: > I think it's ridiculous that you can change rlimits and then > exec a setuid thing. It's not so easy to fix, though. Maybe track, > per-task, inherited by clone and exec, what the rlimits were the last > time the process had privilege and reset to those limits when running > something setuid. But a better approach might be to have some sysctls > that say what the rlimits become when doing setuid. *Some* rlimits are useful and needed for the user as you mentionned. RLIMIT_CORE definitely is one of them, especially for debugging, when combined with suid_dumpable. Some others like RLIMIT_STACK should probably never be configurable at all and cause trouble. Probably that simply having a sysctl to set this one for setuid programs and ignore the current limit would be enough. We could even imagine another one to set the stack guard gap for setuid programs (this would also limit the impacts of having a large gap for everyone). > We need per-user-ns sysctls for stuff like this, and we don't really > have them... I don't think we need to be this fine-grained. min_mmap_addr is global, is used to address very similar issues and nobody seems to complain. Willy