Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932132AbWIIMtR (ORCPT ); Sat, 9 Sep 2006 08:49:17 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S932130AbWIIMtR (ORCPT ); Sat, 9 Sep 2006 08:49:17 -0400 Received: from nef2.ens.fr ([129.199.96.40]:7185 "EHLO nef2.ens.fr") by vger.kernel.org with ESMTP id S932132AbWIIMtQ (ORCPT ); Sat, 9 Sep 2006 08:49:16 -0400 Date: Sat, 9 Sep 2006 14:49:13 +0200 From: David Madore To: Linux Kernel mailing-list Cc: David Wagner Subject: Re: patch to make Linux capabilities into something useful (v 0.3.1) Message-ID: <20060909124913.GA22748@clipper.ens.fr> References: <20060907003210.GA5503@clipper.ens.fr> <20060907173449.GA24013@clipper.ens.fr> <20060907225429.GA30916@elf.ucw.cz> <20060908041034.GB24135@clipper.ens.fr> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.9i X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-1.5.10 (nef2.ens.fr [129.199.96.32]); Sat, 09 Sep 2006 14:49:13 +0200 (CEST) Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 3845 Lines: 98 On Sat, Sep 09, 2006 at 01:01:02AM +0000, David Wagner wrote: > David Madore wrote: > >On Fri, Sep 08, 2006 at 12:54:29AM +0200, Pavel Machek wrote: > >> Alternatively disallow suid/sgid-anything exec > >> when all "usual" capabilities are not present. > > > >This is probably too stringent: remove any trivial capability > >whatsoever and you lose a rather important ability. > > This might not be so terrible. At least, I'm not sure I'd rule it > out at this point -- it seems like it might be worth considering. The following patch (follows version 0.4.3 of my main patch) should make people happy in this respect: it adds a securebit (off by default) to enable suid non-root execution by underprivileged processes. Signed-off-by: David A. Madore --- fs/exec.c | 16 ++++++++++++---- include/linux/securebits.h | 9 +++++++++ 2 files changed, 21 insertions(+), 4 deletions(-) diff --git a/fs/exec.c b/fs/exec.c index 1cb5e34..adf834b 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -44,6 +44,7 @@ #include #include #include #include +#include #include #include #include @@ -918,6 +919,7 @@ int prepare_binprm(struct linux_binprm * int mode; struct inode * inode = bprm->file->f_dentry->d_inode; int retval; + char ok_to_sxid; mode = inode->i_mode; if (bprm->file->f_op == NULL) @@ -928,9 +930,16 @@ int prepare_binprm(struct linux_binprm * bprm->is_suid = 0; bprm->is_sgid = 0; - if(!(bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID)) { + ok_to_sxid = capable(CAP_REG_SXID) + && !(bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID); + if (!cap_issubset(CAP_REGULAR_SET, current->cap_permitted) + && !issecure(SECURE_UNDERPRIVILEGED_MAY_SXID) + && (issecure(SECURE_NOROOT) || inode->i_uid != 0)) + ok_to_sxid = 0; + + if (ok_to_sxid) { /* Set-uid? */ - if (mode & S_ISUID && capable(CAP_REG_SXID)) { + if (mode & S_ISUID) { bprm->is_suid = 1; current->personality &= ~PER_CLEAR_ON_SETID; bprm->e_uid = inode->i_uid; @@ -942,8 +951,7 @@ int prepare_binprm(struct linux_binprm * * is a candidate for mandatory locking, not a setgid * executable. */ - if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP) - && capable(CAP_REG_SXID)) { + if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) { bprm->is_sgid = 1; current->personality &= ~PER_CLEAR_ON_SETID; bprm->e_gid = inode->i_gid; diff --git a/include/linux/securebits.h b/include/linux/securebits.h index 5b06178..16e8f3e 100644 --- a/include/linux/securebits.h +++ b/include/linux/securebits.h @@ -18,6 +18,15 @@ #define SECURE_NOROOT 0 privileges. When unset, setuid doesn't change privileges. */ #define SECURE_NO_SETUID_FIXUP 2 +/* When set, allow underprivileged processes (= not possessing all + "regular" caps) to execute SUID/SGID executables (this is a + security issue as such executables might be surprised to run with + reduced privileges); if SECURE_NOROOT is _not_ set, this _does not_ + apply to SUID root processes (they are already made secure by + raising all caps). Removing the (regular) CAP_REG_SXID capability + also always inhibits any kind of SUID/SGID. */ +#define SECURE_UNDERPRIVILEGED_MAY_SXID 4 + /* Each securesetting is implemented using two bits. One bit specify whether the setting is on or off. The other bit specify whether the setting is fixed or not. A setting which is fixed cannot be changed - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/