Received: by 2002:a05:6a10:eb17:0:0:0:0 with SMTP id hx23csp485508pxb; Wed, 8 Sep 2021 05:53:15 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyZ02gNxDpgBn6YTPyFkQrJlaqwvQgQt2ZRkIxu9//XB5jiWd+k/hqfsRoDH68w2kErEUj4 X-Received: by 2002:a6b:3f02:: with SMTP id m2mr3122788ioa.136.1631105595083; Wed, 08 Sep 2021 05:53:15 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1631105595; cv=none; d=google.com; s=arc-20160816; b=Ro7odGfr3j7wNjlgon8JpB1s6ks1erE/lViI3gyXMg/8WQK7QT1pOt1JrzIgoCaLaj /aQpQ7qoKGcUSP2SL6fD49OG6dSAAhYCSRxg/lUzgHW4y7d9ZNq40UgMFGU9fflOoCGU zcGiWQr7E8OxOopvImCb7+phAh02qvyf34PzFOr6cZPBAlalQX7LEM+vP9st6u8zWMuT ymN6LplHh0Ww6fVi6L0oOo0JkFachGpqNzaxkFPXjOrBBPgNu8a0VD4p3KxvxwsVRV/e jOWl1xc9vXZCQJsY6+COZ0D8XmoRJPzI6uew7bltkEOPTk75eClnxehfe68G9TRWPsTa 7kFA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date; bh=DIhKzjvpHkIg853gtEXM+sXR6AbHVL+JwO7UGomZoOs=; b=T29oViIifgLYksBySMFf00g+OpvgnHOp0wSngRIPqd92rkTm7eHsvU3pgdsSlOHlkA x0E/A1dhB2uaVyLJFwdNVq4spNdMkLw7jKZHnSnUgw9jzDPy7jXt2eHGCTxwV7zxRkzS mQcMbFXiQtzOHTgES2Mv0gm2yLSQylY1DXetNixzidUdgaNfy1ZxZn0IVe4S3HrANUqP Rx/lXG6QMjJNDRqQ9oRqre6BYxlyBiOJBX0a10O7gQqnogKBhX6qpeF1UrBc7d8ExA2T rvec0w34DiscBspVRGMVo61qrA0EETKIU1g7NiRQqzyoQl66DfgsBfFJ1YZKnEgMLdQl n6sw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id h25si2049802ioj.39.2021.09.08.05.53.00; Wed, 08 Sep 2021 05:53:14 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1348801AbhIHKZW (ORCPT + 99 others); Wed, 8 Sep 2021 06:25:22 -0400 Received: from mother.openwall.net ([195.42.179.200]:45538 "HELO mother.openwall.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with SMTP id S1348771AbhIHKZV (ORCPT ); Wed, 8 Sep 2021 06:25:21 -0400 Received: (qmail 19587 invoked from network); 8 Sep 2021 10:24:11 -0000 Received: from localhost (HELO pvt.openwall.com) (127.0.0.1) by localhost with SMTP; 8 Sep 2021 10:24:11 -0000 Received: by pvt.openwall.com (Postfix, from userid 503) id 9905AAB88C; Wed, 8 Sep 2021 12:24:00 +0200 (CEST) Date: Wed, 8 Sep 2021 12:24:00 +0200 From: Solar Designer To: Christian Brauner Cc: CGEL , peterz@infradead.org, tglx@linutronix.de, linux-kernel@vger.kernel.org, Ran Xiaokai , James Morris , Linus Torvalds , Kees Cook , NeilBrown Subject: Re: [PATCH] set_user: add capability check when rlimit(RLIMIT_NPROC) exceeds Message-ID: <20210908102400.GA22799@openwall.com> References: <20210728072629.530435-1-ran.xiaokai@zte.com.cn> <20210728115930.2lzs57h4hvnqipue@wittgenstein> <20210730082329.GA544980@www> <20210803100354.GA607722@www> <20210803140702.f3rdnka3e2x6vj4r@wittgenstein> <20210907213042.GA22626@openwall.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20210907213042.GA22626@openwall.com> User-Agent: Mutt/1.4.2.3i Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Here's a further observation: On Tue, Sep 07, 2021 at 11:30:42PM +0200, Solar Designer wrote: > As I understand, the resulting commit: > > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=2863643fb8b92291a7e97ba46e342f1163595fa8 > > broke RLIMIT_NPROC support for Apache httpd suexec and likely similar. The commit above tries to make things consistent by duplicating the check from copy_process() also in set_user(). However, the check isn't actually the same because set_user(new) is called _before_ security_task_fix_setuid(new, ...), whereas in the described detour via fork() its check would be reached already as the new user. So those capable() calls just look the same, but are actually very different, and that's the problem. My current understanding is the commit actually increases inconsistency. The commit message starts with: "in copy_process(): non root users but with capability CAP_SYS_RESOURCE or CAP_SYS_ADMIN will clean PF_NPROC_EXCEEDED flag even rlimit(RLIMIT_NPROC) exceeds. Add the same capability check logic here." It talks about the obscure case of "non root users but with capability". However, the capable() calls added by the commit actually also apply to root, such as in suexec. > Anyway, now I suggest that 2863643fb8b92291a7e97ba46e342f1163595fa8 be > reverted, and if there's any reason to make any change (what reason? > mere consistency or any real issue?) then I suggest that the flag > resetting on fork() be made conditional. Something like this: > > if (atomic_read(&p->real_cred->user->processes) >= > task_rlimit(p, RLIMIT_NPROC)) { > if (p->real_cred->user != INIT_USER && > !capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN)) > goto bad_fork_free; > - } > - current->flags &= ~PF_NPROC_EXCEEDED; > + } else > + current->flags &= ~PF_NPROC_EXCEEDED; Alternatively, we could postpone the set_user() calls until we're running with the new user's capabilities, but that's an invasive change that's likely to create its own issues. So my suggestion above holds. Alexander