Received: by 2002:a25:868d:0:0:0:0:0 with SMTP id z13csp2607262ybk; Tue, 12 May 2020 03:46:32 -0700 (PDT) X-Google-Smtp-Source: APiQypIKV2BgRKyCIPXPwznsM5vuwfJZnANa1E3UiyaV49fOp7ccaAmqJdLcpEH9gnFq38CskCZO X-Received: by 2002:a05:6402:35c:: with SMTP id r28mr15417213edw.295.1589280392086; Tue, 12 May 2020 03:46:32 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1589280392; cv=none; d=google.com; s=arc-20160816; b=ZXq7GSsXt5/2wQfy273JCmcz0JBq2ebEB8rH5+q2do+0tNziNtM9Y2rfBGP/c8Q7uy RxLys+6t7IR4+DVLudgREvIjLJTZQDNwKvYUle8U8JxGnv/XATbtdqwzF8hBNburNZOW zSdCBeBaLBfpbNgUfSMJrjeXOdthP25hDr1F+jqiy4gK36UXLYibFVDT0UdhxmNKmo9I nJx/F6tmSzvDiKIuZVz1Ip4fiHCzy0/mAH/9end1pUxeA5X3pTzZKVuQJxJ5GIH18oOt 85Q9c8HnirhUFNQH+gxRjF0t9/pUSTGkRjuwYZQE3YDja1850mgiJM83hB/rQ4IFK9gd dD4Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:to:from:date; bh=FhTRHsYdag7K48t1RlZfwrQH1dGPxlpoAqende4Ivnk=; b=f69ccM5n1RNPQ/Y0WQ/6vAodV5lisDr4c0rJ2HDb/9ncOG4FrIECI7/Ylaj8EwcN3V 3CEd4xXMfl6K1IUd33H0F+2fs/QziID6i7DLw262aat7rWbnGOloPUKXr6AM7N9iOxoV GCW8DIup2D8U8TgeEHCHGP717ObSLWzIJCkn5N2BibXyKolqxOTjgb2m77DU79Yb6ctV /sfpgqD1P0yzRLRk6XSiNr52XfkMjb/9/Jj7NKMv64pvikKi+V1CB0JpH8wetPKNQsWt 8bKQreT9GtjuEZ19YugMu+deQCXtIXIWTMQfj6IO/TciLp/Kb+IKKqyWjr0V3jBk+DPa rDbA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id b8si7184641edw.411.2020.05.12.03.46.08; Tue, 12 May 2020 03:46:32 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729611AbgELKoJ (ORCPT + 99 others); Tue, 12 May 2020 06:44:09 -0400 Received: from shells.gnugeneration.com ([66.240.222.126]:49602 "EHLO shells.gnugeneration.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729581AbgELKoI (ORCPT ); Tue, 12 May 2020 06:44:08 -0400 Received: by shells.gnugeneration.com (Postfix, from userid 1000) id 412A81A40053; Tue, 12 May 2020 03:44:08 -0700 (PDT) Date: Tue, 12 May 2020 03:44:08 -0700 From: Vito Caputo To: linux-kernel Subject: Re: Question regarding blocking set[ug]id on processes including via suid executables Message-ID: <20200512104408.jq3umt5hlqfbuhex@shells.gnugeneration.com> References: <20200512094524.662gnls64rwjhct2@shells.gnugeneration.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20200512094524.662gnls64rwjhct2@shells.gnugeneration.com> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, May 12, 2020 at 02:45:24AM -0700, Vito Caputo wrote: > Hello folks, > > I'm curious if someone knows a way to do this using existing linux > interfaces. > > I'd like to create a login lacking the ability to switch uid/gid. > > Even if the process has access to suid executables like /bin/su, and > the user has the root password, I'd like the descendant processes of > their login to be simply incapable of changing uid/gid, even when it's > in the form of running a program w/suid bit set on an existing and > accessible executable in the filesystem. No matter what, it just > can't happen. > > Do we have any such thing today? I'd really like to be able to set > this on a specific user and all logins of that user are simply stuck > on that uid no matter what. > Basically what I'm looking for is a convention for login-time application of the PR_SET_NO_NEW_PRIVS prctl, do we have anything formalized in userspace for this? We've got NoNewPrivileges in systemd but it's not really user-oriented AFAIK... Maybe lkml isn't the right place to pose this question, any pointers appreciated though. Cheers, Vito Caputo