Received: by 2002:a05:6a10:1a4d:0:0:0:0 with SMTP id nk13csp5581782pxb; Mon, 14 Feb 2022 02:35:33 -0800 (PST) X-Google-Smtp-Source: ABdhPJzBxHilIAIBHstUYbMiXk4MzR+7XogAefNXmziCTW1tqmJ8SzBBdgcgYaoSVwxsiyRlIdjt X-Received: by 2002:a17:906:99c2:: with SMTP id s2mr10761399ejn.317.1644834933379; Mon, 14 Feb 2022 02:35:33 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1644834933; cv=none; d=google.com; s=arc-20160816; b=rNZNZ2zWOU67TOC4UYFV4+FEhMbhf/4BVZrY2OIf2uaHthNg4320A9DG3hwhWP/N/h dbC5eMTftQ/dSJssy/DmxndObD+FL0fKIOY0FAOzv0avW4hi0eqYVIVBdEVE3CfdShW+ DL0x3Y67peSECvXFZmVJL08fEbSsosEU24ddhxMTt/GDnMqoIfcqNTNlgBMAYRKaHleh R2e4Dzv/AZGNHme1sEsLf0imV6MUl+qwdUGSO5hc4h/0JYqF+NNkEL6J3cSoxbsSvAS4 B2Rrw7R4tqoE0ZgghmsWyO/xe09qI48VEqdMvCwdmgIP4eAUD+AsWglREfONIA9KKmK1 xkrA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date; bh=ubuVrEph3RpMwH33qwSCCMVllDbBFz5++WQKDBiRR9M=; b=kQOs2A75FfHCeRGLipjuzhp1Ga4hgolX78vXqrgb6EKUGxhYcTDDq7WNcDeFi3tKO9 77yESMJoLx7KLRCpAz6HmF7yTDh52f2iRKq6tc6uQBnKY39XXnOK4ieDzPGfli9OIt4c 4xcFD8pMAaJUWqjHmbbma3ychxQNv4w+s5DelwRCS+4fdrqaYZjfqugQ+18G5JcV/2vR ecMPyI84yZqgjRF0T0odx6g/NyMKvHqL6994eF4i3LuXZ/4xFV7sb5QeEylL9DRTwcPD Y3f4sgmUQ1aZ4Y9JNaE3/QjY8uQzL8KXaoDkcx9s3UH+jrpz6IqkFDlJVBnO/bTv/aAb g2Iw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id sb38si1132057ejc.650.2022.02.14.02.35.10; Mon, 14 Feb 2022 02:35:33 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232439AbiBLXRP (ORCPT + 99 others); Sat, 12 Feb 2022 18:17:15 -0500 Received: from mxb-00190b01.gslb.pphosted.com ([23.128.96.19]:41080 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232416AbiBLXRN (ORCPT ); Sat, 12 Feb 2022 18:17:13 -0500 Received: from mother.openwall.net (mother.openwall.net [195.42.179.200]) by lindbergh.monkeyblade.net (Postfix) with SMTP id 3DEA65F8D5 for ; Sat, 12 Feb 2022 15:17:07 -0800 (PST) Received: (qmail 6042 invoked from network); 12 Feb 2022 23:17:06 -0000 Received: from localhost (HELO pvt.openwall.com) (127.0.0.1) by localhost with SMTP; 12 Feb 2022 23:17:06 -0000 Received: by pvt.openwall.com (Postfix, from userid 503) id D1CBDAB88C; Sun, 13 Feb 2022 00:17:01 +0100 (CET) Date: Sun, 13 Feb 2022 00:17:01 +0100 From: Solar Designer To: "Eric W. Biederman" Cc: linux-kernel@vger.kernel.org, Alexey Gladkov , Kees Cook , Shuah Khan , Christian Brauner , Ran Xiaokai , Michal Koutn?? , stable@vger.kernel.org Subject: Re: [PATCH 3/8] ucounts: Fix and simplify RLIMIT_NPROC handling during setuid()+execve Message-ID: <20220212231701.GA29483@openwall.com> References: <87o83e2mbu.fsf@email.froward.int.ebiederm.org> <20220211021324.4116773-3-ebiederm@xmission.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20220211021324.4116773-3-ebiederm@xmission.com> User-Agent: Mutt/1.4.2.3i X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED, RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Feb 10, 2022 at 08:13:19PM -0600, Eric W. Biederman wrote: > As of commit 2863643fb8b9 ("set_user: add capability check when > rlimit(RLIMIT_NPROC) exceeds") setting the flag to see if execve > should check RLIMIT_NPROC is buggy, as it tests the capabilites from > before the credential change and not aftwards. > > As of commit 21d1c5e386bc ("Reimplement RLIMIT_NPROC on top of > ucounts") examining the rlimit is buggy as cred->ucounts has not yet > been properly set in the new credential. > > Make the code correct and more robust moving the test to see if > execve() needs to test RLIMIT_NPROC into commit_creds, and defer all > of the rest of the logic into execve() itself. > > As the flag only indicateds that RLIMIT_NPROC should be checked > in execve rename it from PF_NPROC_EXCEEDED to PF_NPROC_CHECK. > > Cc: stable@vger.kernel.org > Link: https://lkml.kernel.org/r/20220207121800.5079-2-mkoutny@suse.com > Link: https://lkml.kernel.org/r/20220207121800.5079-3-mkoutny@suse.com > Reported-by: Michal Koutn?? > Fixes: 2863643fb8b9 ("set_user: add capability check when rlimit(RLIMIT_NPROC) exceeds") > Fixes: 21d1c5e386bc ("Reimplement RLIMIT_NPROC on top of ucounts") > Signed-off-by: "Eric W. Biederman" On one hand, this looks good. On the other, you asked about the Apache httpd suexec scenario in the other thread, and here's what this means for it (per my code review): In that scenario, we have two execve(): first from httpd to suexec, then from suexec to the CGI script. Previously, the limit check only occurred on the setuid() call by suexec, and its effect was deferred until execve() of the script. Now wouldn't it occur on both execve() calls, because commit_creds() is also called on execve() (such as in case the program is SUID, which suexec actually is)? Since the check is kind of against real uid (not the euid=0 that suexec gains), it'd apply the limit against httpd pseudo-user's process count. While it could be a reasonable kernel policy to impose this limit in more places, this is a change of behavior for Apache httpd, and is not the intended behavior there. However, I think the answer to my question earlier in this paragraph is actually a "no", the check wouldn't occur on the execve() of suexec, because "new->user != old->user" would be false. Right? As an alternative, you could keep setting the (renamed and reused) flag in set_user(). That would avoid the (non-)issue I described above - but again, your patch is probably fine as-is. I do see it's logical to have these two lines next to each other: > inc_rlimit_ucounts(new->ucounts, UCOUNT_RLIMIT_NPROC, 1); > + task->flags |= PF_NPROC_CHECK; Of course, someone would need to actually test this. Alexander