Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5024AC433F5 for ; Tue, 21 Dec 2021 23:36:12 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238041AbhLUXgL (ORCPT ); Tue, 21 Dec 2021 18:36:11 -0500 Received: from out02.mta.xmission.com ([166.70.13.232]:55006 "EHLO out02.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237268AbhLUXgK (ORCPT ); Tue, 21 Dec 2021 18:36:10 -0500 Received: from in01.mta.xmission.com ([166.70.13.51]:52356) by out02.mta.xmission.com with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.93) (envelope-from ) id 1mzofw-0043kp-AO; Tue, 21 Dec 2021 16:36:08 -0700 Received: from ip68-227-161-49.om.om.cox.net ([68.227.161.49]:41210 helo=email.froward.int.ebiederm.org.xmission.com) by in01.mta.xmission.com with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.93) (envelope-from ) id 1mzofv-0011pg-7L; Tue, 21 Dec 2021 16:36:07 -0700 From: ebiederm@xmission.com (Eric W. Biederman) To: Willy Tarreau Cc: Linus Torvalds , Waiman Long , Alexander Viro , Kees Cook , linux-fsdevel , Linux Kernel Mailing List , Laurent Vivier , YunQiang Su , Helge Deller References: <20211221021744.864115-1-longman@redhat.com> <87lf0e7y0k.fsf@email.froward.int.ebiederm.org> <4f67dc4c-7038-7dde-cad9-4feeaa6bc71b@redhat.com> <87czlp7tdu.fsf@email.froward.int.ebiederm.org> <7f0f8e71-cf62-4c0b-5f13-a41919c6cd9b@redhat.com> <20211221205635.GB30289@1wt.eu> <20211221221336.GC30289@1wt.eu> Date: Tue, 21 Dec 2021 17:35:29 -0600 In-Reply-To: <20211221221336.GC30289@1wt.eu> (Willy Tarreau's message of "Tue, 21 Dec 2021 23:13:36 +0100") Message-ID: <87o8594jlq.fsf@email.froward.int.ebiederm.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-XM-SPF: eid=1mzofv-0011pg-7L;;;mid=<87o8594jlq.fsf@email.froward.int.ebiederm.org>;;;hst=in01.mta.xmission.com;;;ip=68.227.161.49;;;frm=ebiederm@xmission.com;;;spf=neutral X-XM-AID: U2FsdGVkX18phw0Fh80bB6hRLu0uycjSNt9ecskzegM= X-SA-Exim-Connect-IP: 68.227.161.49 X-SA-Exim-Mail-From: ebiederm@xmission.com Subject: Re: [PATCH] exec: Make suid_dumpable apply to SUID/SGID binaries irrespective of invoking users X-SA-Exim-Version: 4.2.1 (built Sat, 08 Feb 2020 21:53:50 +0000) X-SA-Exim-Scanned: Yes (on in01.mta.xmission.com) Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Willy Tarreau writes: > On Tue, Dec 21, 2021 at 09:56:35PM +0100, Willy Tarreau wrote: >> > As it is all done within the kernel, there is no need to >> > change any userspace code. We may need to add a flag bit in the task >> > structure to indicate using the suid_dumpable setting so that it can be >> > inherited across fork/exec. >> >> Depending on what we change there can be some subtly visible changes. >> In one of my servers I explicitly re-enable dumpable before setsid() >> when a core dump is desired for debugging. But other deamons could do >> the exact opposite. If setsid() systematically restores suid_dumpable, >> a process that explicitly disables it before calling setsid() would >> see it come back. But if we have a special "suid_in_progress" flag >> to mask suid_dumpable and that's reset by setsid() and possibly >> prctl(PR_SET_DUMPABLE) then I think it could even cover that unlikely >> case. > > Would there be any interest in pursuing attempts like the untested patch > below ? The intent is to set a new MMF_NOT_DUMPABLE on exec on setuid or > setgid bit, but clear it on setrlimit(RLIMIT_CORE), prctl(SET_DUMPABLE), > and setsid(). This flag makes get_dumpable() return SUID_DUMP_DISABLED > when set. I think that in the spirit it could maintain the info that a > suidexec happened and was not reset, without losing any tuning made by > the application. I never feel at ease touching all this and I certainly > did some mistakes but for now it's mostly to have a base to discuss > around, so do not hesitate to suggest or criticize. Yes. This looks like a good place to start the conversation. We need to do something like you are doing to separate dumpability changes due to privilege gains during exec and dumpability changes due to privilege shuffling with setresuid. As long as we only impact processes descending from a binary that has gained privileges during exec (like this patch) I think we have a lot of latitude in how we make this happen. Basically we only need to test su and sudo and verify that whatever we do works reasonably well for them. On the one hand I believe of gaining privileges during exec while letting the caller control some aspect of our environment is a dangerous design flaw and I would love to remove gaining privileges during exec entirely. On the other hand we need to introduces as few regressions as possible and make gaining privileges during exec as safe as possible. I do agree that RLIMIT_CORE and prctl(SET_DUMPABLE) are good places to clear the flag. I don't know if setsid is the proper key to re-enabling dumpability. I ran a quick test and simply doing "su" and then running a shell as root does not change the session, nor does "su -" (which creates a login shell). Also "sudo -s" does not create a new session. So session creation does not happen naturally. Still setsid is part of the standard formula for starting a daemon, so I don't think system services that run as daemons will be affected. I don't think anything we do matters for systemd. As I understand it "systemctl start ..." causes pid 1 to fork and exec services, which will ensure the started processes are not descendants of the binary the gained privileges during exec. Eric