Received: by 2002:a05:6a10:1a4d:0:0:0:0 with SMTP id nk13csp5212382pxb; Sun, 13 Feb 2022 11:59:43 -0800 (PST) X-Google-Smtp-Source: ABdhPJyLdpJ0bzL0MGaymbSw37ScfpJD7sX7K0/cXiFllBeEcCSzN7kN1Xi0P8X9RReIDUBMt226 X-Received: by 2002:a62:bd0e:: with SMTP id a14mr11244762pff.32.1644782383177; Sun, 13 Feb 2022 11:59:43 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1644782383; cv=none; d=google.com; s=arc-20160816; b=jVG4vkwZm13OWYnQW51Rt7nsg3spwFzyrIDEX+gemhrpNYNwi6LpvbRXKpVApmvYoR eIj34zWOXvCcrDeaWhfxBu/SJrStXcEpIyDXzIOboGHXEX9xQ9N3dQe+Mwv1i6gzpzWY OhTNfSLOpO990snb7cbo6TyLrGl/J1X16ddQ/GRr6WckzmO7ohytqjxbIUtHD1TD1zj/ tBomPMydqMQnwKxt7YM60S1srFN4CYnYKVs00z6muSNvz7R3ZSdr+rdaxuWcGf6B8MLL o87d+/H0Fhc8tsTEj+ZsrnNkKLDeVYiJ4he0xGjKtMg4Gha0FdVFuLRVfgTvhdFvCpUw K9xw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date; bh=xr/Mt95RLQPw2n7BNGkt99bd4+sLtoWtPU8NAmtijsw=; b=FDgK9p/EPB8Qu9YhnNcD+1Yzedo6TjIQ2tD1ZYeWq/HYhx3ROrfjHyi+6dAlUCL+3J HWfRtLxAK7QgK8zxXgJfBi6wfiEePHMLch0ED8f4B8dwm6imqNMf2Mf7DTj/CcuYWWxM g9MdiuvaA9pVRr8WauGH8xL67pNaJe3J0KPT/kmej68TsZ30omxXb4eHMWGt8RKtci08 jy0BLQZL3y1lMHNclkLU4roNWhRx+1GTZvOLL4UF4mgo573oW8GKjiBg9QBaqyBbMu0N B+xi9SeldkE8xDMyLV1y5qKHL+D1PBTIusSOvNhlsxxyjdXsAfe0zAm8lkrX93BZPQHK uxYQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id ng5si10930838pjb.128.2022.02.13.11.59.24; Sun, 13 Feb 2022 11:59:43 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230321AbiBLWOc (ORCPT + 99 others); Sat, 12 Feb 2022 17:14:32 -0500 Received: from mxb-00190b01.gslb.pphosted.com ([23.128.96.19]:36950 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230142AbiBLWOb (ORCPT ); Sat, 12 Feb 2022 17:14:31 -0500 Received: from mother.openwall.net (mother.openwall.net [195.42.179.200]) by lindbergh.monkeyblade.net (Postfix) with SMTP id 3A0FD60A81 for ; Sat, 12 Feb 2022 14:14:24 -0800 (PST) Received: (qmail 11884 invoked from network); 12 Feb 2022 22:14:23 -0000 Received: from localhost (HELO pvt.openwall.com) (127.0.0.1) by localhost with SMTP; 12 Feb 2022 22:14:23 -0000 Received: by pvt.openwall.com (Postfix, from userid 503) id 44AA3AB88C; Sat, 12 Feb 2022 23:14:12 +0100 (CET) Date: Sat, 12 Feb 2022 23:14:12 +0100 From: Solar Designer To: "Eric W. Biederman" Cc: Michal Koutn?? , Alexey Gladkov , Kees Cook , Shuah Khan , Christian Brauner , Ran Xiaokai , linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org Subject: Re: [RFC PATCH 1/6] set_user: Perform RLIMIT_NPROC capability check against new user credentials Message-ID: <20220212221412.GA29214@openwall.com> References: <20220207121800.5079-1-mkoutny@suse.com> <20220207121800.5079-2-mkoutny@suse.com> <20220210011405.GA17076@openwall.com> <87h795xhxs.fsf@email.froward.int.ebiederm.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <87h795xhxs.fsf@email.froward.int.ebiederm.org> User-Agent: Mutt/1.4.2.3i X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED, RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Feb 11, 2022 at 02:32:47PM -0600, Eric W. Biederman wrote: > Solar Designer writes: > > https://lore.kernel.org/all/20210913100140.bxqlg47pushoqa3r@wittgenstein/ > > > > Christian was going to revert 2863643fb8b9, but apparently that never > > happened. Back then, I also suggested: > > > > "Alternatively, we could postpone the set_user() calls until we're > > running with the new user's capabilities, but that's an invasive change > > that's likely to create its own issues." > > Back then you mentioned that apache suexec was broken. Do you have > any more details? > > I would like to make certain the apache suexec issue is fixed but > without a few details I can't do that. I tried looking but I can't > find an public report about apache suexec being broken. I'm not aware of anyone actually running into this issue and reporting it. The systems that I personally know use suexec along with rlimits still run older/distro kernels, so would not yet be affected. So my mention was based on my understanding of how suexec works, and code review. Specifically, Apache httpd has the setting RLimitNPROC, which makes it set RLIMIT_NPROC: https://httpd.apache.org/docs/2.4/mod/core.html#rlimitnproc The above documentation for it includes: "This applies to processes forked from Apache httpd children servicing requests, not the Apache httpd children themselves. This includes CGI scripts and SSI exec commands, but not any processes forked from the Apache httpd parent, such as piped logs." In code, there are: ./modules/generators/mod_cgid.c: ( (cgid_req.limits.limit_nproc_set) && ((rc = apr_procattr_limit_set(procattr, APR_LIMIT_NPROC, ./modules/generators/mod_cgi.c: ((rc = apr_procattr_limit_set(procattr, APR_LIMIT_NPROC, ./modules/filters/mod_ext_filter.c: rv = apr_procattr_limit_set(procattr, APR_LIMIT_NPROC, conf->limit_nproc); For example, in mod_cgi.c this is in run_cgi_child(). I think this means an httpd child sets RLIMIT_NPROC shortly before it execs suexec, which is a SUID root program. suexec then switches to the target user and execs the CGI script. Before 2863643fb8b9, the setuid() in suexec would set the flag, and the target user's process count would be checked against RLIMIT_NPROC on execve(). After 2863643fb8b9, the setuid() in suexec wouldn't set the flag because setuid() is (naturally) called when the process is still running as root (thus, has those limits bypass capabilities), and accordingly execve() would not check the target user's process count against RLIMIT_NPROC. > My goal is to come up with a very careful and conservative set of > patches that fix all of the known issues with RLIMIT_NPROC. The most conservative fix for this one would be to revert 2863643fb8b9 (preserving other changes that were made on top of it). I think this commit did not fix a real issue - it attempted to fix what someone thought was a discrepancy, but actually made it worse. However, your recent patch trying to fix that commit looks like it'd also repair the behavior for suexec. Thanks, Alexander