Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752438AbdIARaj (ORCPT ); Fri, 1 Sep 2017 13:30:39 -0400 Received: from userp1040.oracle.com ([156.151.31.81]:40789 "EHLO userp1040.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752338AbdIARah (ORCPT ); Fri, 1 Sep 2017 13:30:37 -0400 Subject: Re: [RESEND PATCH] Allow passing tid or pid in SCM_CREDENTIALS without CAP_SYS_ADMIN To: "Eric W. Biederman" References: <1503965540-30393-1-git-send-email-prakash.sangappa@oracle.com> <20170829.160232.1901318933754673000.davem@davemloft.net> <87ziahzzhx.fsf@xmission.com> <87inh5ymv2.fsf@xmission.com> Cc: David Miller , linux-kernel@vger.kernel.org, netdev@vger.kernel.org, drepper@redhat.com From: Prakash Sangappa Message-ID: Date: Fri, 1 Sep 2017 10:30:31 -0700 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.8.0 MIME-Version: 1.0 In-Reply-To: <87inh5ymv2.fsf@xmission.com> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-Source-IP: userv0021.oracle.com [156.151.31.71] Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1458 Lines: 39 On 8/30/17 10:41 AM, ebiederm@xmission.com wrote: > Prakash Sangappa writes: > > >> With regards to security, the question basically is what is the consequence >> of passing the wrong id. As I understand it, Interpreting the id to be pid >> or tid, the effective uid and gid will be the same. It would be a problem >> only if the incorrect interpretation of the id would refer a different process. >> But that cannot happen as the the global tid(gettid() of a thread is >> unique. > There is also the issue that the receiving process could look, not see > the pid in proc and assume the sending process is dead. That I suspect > is the larger danger. > Will this not be a bug in the application, if it is sending the wrong id? >> As long as the thread is alive, that id cannot reference another process / thread. >> Unless the thread were to exit and the id gets recycled and got used for another >> thread or process. This would be no different from a process exiting and its >> pid getting recycled which is the case now. > Largely I agree. > > If all you want are pid translations I suspect the are far easier ways > thant updating the SCM_CREDENTIALS code. What would be an another easier & efficient way of doing pid translation? Should a new API/mechanism be considered mainly for pid translation purpose for use with pid namespaces, say based on 'pipe' something similar to I_SENDFD? Thanks, -Prakash. > Eric >