Received: by 2002:a25:868d:0:0:0:0:0 with SMTP id z13csp2638231ybk;
        Tue, 12 May 2020 04:34:58 -0700 (PDT)
X-Google-Smtp-Source: APiQypL1Oh5GtK+rk4Wxtce6vcAE/+ftxhlI/LzR5diwvnOZc2ccX5Ip/a2Ilgw4ykESKtQFWm0G
X-Received: by 2002:a50:f288:: with SMTP id f8mr17733338edm.337.1589283297982;
        Tue, 12 May 2020 04:34:57 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1589283297; cv=none;
        d=google.com; s=arc-20160816;
        b=aBJZQiBLceWLzDbQUdWq2/e03+zYjMtPKjN51bytbKbEJ0ccleVhFal5NAYMntCZCD
         bBfbje6Fqyz3RAtkuqsaHPJwtNhIeiMmAUFVnSPOkDhJBwLuNyZthNTWqonxOVK4s5OC
         YWOTcE4Y2oJfKu5ellNFd4+P4QFjTjg/sCIQO0EOwWekuDtL1T3CXoEUrCMSOQobEiUE
         iOJWLgXzGCYAlxa+Zm5Dd+Pmn31ke/UvsBP2UiuikiFBXTGou1NtfmQld1pGGZsRdrx8
         auVWfiJ+Y7G+eTWDaINfOkvGSDWFvH4sm+kpBbnzkHq7tqkZTgdeTkG3iSb0vZb4JhgF
         NXIA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:in-reply-to:content-disposition
         :mime-version:references:message-id:subject:to:from:date;
        bh=EaDlmUNucapZi0wRugSkqc1UFrJ7gd1Hs4GSpTaokTc=;
        b=CZkP70haPtPK2srqdXchzUItzcBeIxd+DkOfRfyyj1LtazmGXAn04t/NT+KT7vLMn0
         QcwhEU13m/o0GxiJk76tZxmSLcL3NgSRIOZch0ZOY7ZW1jD/f32oeeAEIr6To2eVluIW
         xu2l8sd5NEuxODK+lMRLE18lMLPlIzlhwtpC/DyFipNzJTwRPOD8ZgWouIFG5REJIRZU
         NbvcxgJFYpJrXY2QWa9wcLtUxIXP1BKuLxnvPz5bc4etilNbocviSpX4Qg7n3JVdj0zT
         xfQ/gs8LV59E+/l7kOZIRu4WLtWZM4INoE+fP5rmkLmuPWX2HjrGoncKOYkwdpEFmi6g
         6A2g==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id r10si8069585edy.321.2020.05.12.04.34.33;
        Tue, 12 May 2020 04:34:57 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1729527AbgELLaf (ORCPT <rfc822;zhangckid@gmail.com> + 99 others);
        Tue, 12 May 2020 07:30:35 -0400
Received: from shells.gnugeneration.com ([66.240.222.126]:51232 "EHLO
        shells.gnugeneration.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726891AbgELLaf (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 12 May 2020 07:30:35 -0400
Received: by shells.gnugeneration.com (Postfix, from userid 1000)
        id 6A3A51A40053; Tue, 12 May 2020 04:30:35 -0700 (PDT)
Date:   Tue, 12 May 2020 04:30:35 -0700
From:   Vito Caputo <vcaputo@pengaru.com>
To:     linux-kernel <linux-kernel@vger.kernel.org>
Subject: Re: Question regarding blocking set[ug]id on processes including via
 suid executables
Message-ID: <20200512113035.easefxliufsx54mk@shells.gnugeneration.com>
References: <20200512094524.662gnls64rwjhct2@shells.gnugeneration.com>
 <20200512104408.jq3umt5hlqfbuhex@shells.gnugeneration.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20200512104408.jq3umt5hlqfbuhex@shells.gnugeneration.com>
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, May 12, 2020 at 03:44:08AM -0700, Vito Caputo wrote:
> On Tue, May 12, 2020 at 02:45:24AM -0700, Vito Caputo wrote:
> > Hello folks,
> > 
> > I'm curious if someone knows a way to do this using existing linux
> > interfaces.
> > 
> > I'd like to create a login lacking the ability to switch uid/gid.
> > 
> > Even if the process has access to suid executables like /bin/su, and
> > the user has the root password, I'd like the descendant processes of
> > their login to be simply incapable of changing uid/gid, even when it's
> > in the form of running a program w/suid bit set on an existing and
> > accessible executable in the filesystem.  No matter what, it just
> > can't happen.
> > 
> > Do we have any such thing today?  I'd really like to be able to set
> > this on a specific user and all logins of that user are simply stuck
> > on that uid no matter what.
> > 
> 
> 
> Basically what I'm looking for is a convention for login-time
> application of the PR_SET_NO_NEW_PRIVS prctl, do we have anything
> formalized in userspace for this?  We've got NoNewPrivileges in
> systemd but it's not really user-oriented AFAIK...
> 
> Maybe lkml isn't the right place to pose this question, any pointers
> appreciated though.
> 

For posterity and comment if interested, PAM seems like a reasonable
integration point for this but I don't see any existing support
currently:

https://github.com/linux-pam/linux-pam/issues/224

I'll quit talking to myself on lkml and head to sleep now :)

Regards,
Vito Caputo