Received: by 2002:a05:6a10:7420:0:0:0:0 with SMTP id hk32csp4435102pxb; Mon, 21 Feb 2022 21:31:50 -0800 (PST) X-Google-Smtp-Source: ABdhPJwRVF68tbiAZ1jp0/ewsngEy/SmuWn+gMX/SQnzFHKlaC43uXh3lYXT5u2F8dT0G9pL1e7K X-Received: by 2002:a63:6242:0:b0:348:601c:25fc with SMTP id w63-20020a636242000000b00348601c25fcmr18531919pgb.467.1645507910723; Mon, 21 Feb 2022 21:31:50 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1645507910; cv=none; d=google.com; s=arc-20160816; b=X4Q+qj4rkajO0nIXKKjkE3yuF5fguDr38MzmZuo4cTscLM6Nwdbp4QhOoDoB1i4ifj 6Ds2m/Rn+PpdTntiT+zm5o0JguznIz2HAQRrcvKZjUk9e+o2yrtHnh0g0RJ6PhpbQyT8 i5ToBtx8Rf9lkNaeg1LQIosMjYRVXpYV5PQatsUHDLdBSwJ3oJLuw5evba3krGEa6c2A yUMdSE85X0AM7Cqa2pTQjgZRmWx6UlCLa4Il06mC2esdt6fFytNWDmbJ3Wti5zCPXCqe FtD/JaaS4XDYGB0bi1t5ZO0NTTRTeYHnOpVkiUc+zcZorB9DINWR/nN0f0SkB4USJyuk 4E0g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=8ZPSzar0PdS1+nMA0o7G/eb7839DRPRewOOMR5vw4Mw=; b=N95jIvpIJudWYpy2/FWKIiNwKVdzyLzc2/lxyDjhF7UE4kbtWWRNvcqgr/akuWwRHQ Yx8EQvEXBDctwVnXcw2ZyGIhkd3/jpuJajIDuP8aaNNWKMwGWGmONMyf+qTYVIMXyuZw Ht5pObe+Vm7usjchK0fUGELT9ejAxHA8k0OuORCYR3q7c4Xu7BshDCyz1pEjuTnYWT3b MmYc9m1jyVKmakH/KP19Aqbh+meEUVArEEoCIqYxPmPMnrLQnbUyTkQzyjoeLRj4qVuE 7BdUI0QflF0vTZq5qJ0XNCgWsDYZVSdpifWx4CQxES/ioquIWZXe3Sp/Uyfqn5ityjQw GxMg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=VqpawUgR; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id f64si9884381pfa.327.2022.02.21.21.31.50 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 21 Feb 2022 21:31:50 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=VqpawUgR; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 0D39310F222; Mon, 21 Feb 2022 21:00:09 -0800 (PST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1351253AbiBUJnu (ORCPT + 99 others); Mon, 21 Feb 2022 04:43:50 -0500 Received: from mxb-00190b01.gslb.pphosted.com ([23.128.96.19]:49238 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1351517AbiBUJhW (ORCPT ); Mon, 21 Feb 2022 04:37:22 -0500 Received: from sin.source.kernel.org (sin.source.kernel.org [145.40.73.55]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id CBF893A180; Mon, 21 Feb 2022 01:15:56 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sin.source.kernel.org (Postfix) with ESMTPS id AC898CE0E90; Mon, 21 Feb 2022 09:15:37 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 933E9C340E9; Mon, 21 Feb 2022 09:15:35 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1645434936; bh=bVtbcFu1bP+aF7lF8UMTo0RVnvCW+DX0l8LGlJdH/wM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=VqpawUgRwJZoFthG+biqOrj6XdFWYpSbvgNLJq2/nk6VxV02ydHBglmLxYXCDsxdn CL8Lwb3kp80E8v8iIFKNcSR25t4tyjeiXduir93Zs11HeeflIlu/DEcVcIvGt1bQAP rEbdJXMsl0+tftqhucfjs8Kkurw7BMqHd3VZ2/9k= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Solar Designer , "Eric W. Biederman" Subject: [PATCH 5.15 182/196] rlimit: Fix RLIMIT_NPROC enforcement failure caused by capability calls in set_user Date: Mon, 21 Feb 2022 09:50:14 +0100 Message-Id: <20220221084937.031868839@linuxfoundation.org> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220221084930.872957717@linuxfoundation.org> References: <20220221084930.872957717@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Eric W. Biederman commit c16bdeb5a39ffa3f32b32f812831a2092d2a3061 upstream. Solar Designer wrote: > I'm not aware of anyone actually running into this issue and reporting > it. The systems that I personally know use suexec along with rlimits > still run older/distro kernels, so would not yet be affected. > > So my mention was based on my understanding of how suexec works, and > code review. Specifically, Apache httpd has the setting RLimitNPROC, > which makes it set RLIMIT_NPROC: > > https://httpd.apache.org/docs/2.4/mod/core.html#rlimitnproc > > The above documentation for it includes: > > "This applies to processes forked from Apache httpd children servicing > requests, not the Apache httpd children themselves. This includes CGI > scripts and SSI exec commands, but not any processes forked from the > Apache httpd parent, such as piped logs." > > In code, there are: > > ./modules/generators/mod_cgid.c: ( (cgid_req.limits.limit_nproc_set) && ((rc = apr_procattr_limit_set(procattr, APR_LIMIT_NPROC, > ./modules/generators/mod_cgi.c: ((rc = apr_procattr_limit_set(procattr, APR_LIMIT_NPROC, > ./modules/filters/mod_ext_filter.c: rv = apr_procattr_limit_set(procattr, APR_LIMIT_NPROC, conf->limit_nproc); > > For example, in mod_cgi.c this is in run_cgi_child(). > > I think this means an httpd child sets RLIMIT_NPROC shortly before it > execs suexec, which is a SUID root program. suexec then switches to the > target user and execs the CGI script. > > Before 2863643fb8b9, the setuid() in suexec would set the flag, and the > target user's process count would be checked against RLIMIT_NPROC on > execve(). After 2863643fb8b9, the setuid() in suexec wouldn't set the > flag because setuid() is (naturally) called when the process is still > running as root (thus, has those limits bypass capabilities), and > accordingly execve() would not check the target user's process count > against RLIMIT_NPROC. In commit 2863643fb8b9 ("set_user: add capability check when rlimit(RLIMIT_NPROC) exceeds") capable calls were added to set_user to make it more consistent with fork. Unfortunately because of call site differences those capable calls were checking the credentials of the user before set*id() instead of after set*id(). This breaks enforcement of RLIMIT_NPROC for applications that set the rlimit and then call set*id() while holding a full set of capabilities. The capabilities are only changed in the new credential in security_task_fix_setuid(). The code in apache suexec appears to follow this pattern. Commit 909cc4ae86f3 ("[PATCH] Fix two bugs with process limits (RLIMIT_NPROC)") where this check was added describes the targes of this capability check as: 2/ When a root-owned process (e.g. cgiwrap) sets up process limits and then calls setuid, the setuid should fail if the user would then be running more than rlim_cur[RLIMIT_NPROC] processes, but it doesn't. This patch adds an appropriate test. With this patch, and per-user process limit imposed in cgiwrap really works. So the original use case of this check also appears to match the broken pattern. Restore the enforcement of RLIMIT_NPROC by removing the bad capable checks added in set_user. This unfortunately restores the inconsistent state the code has been in for the last 11 years, but dealing with the inconsistencies looks like a larger problem. Cc: stable@vger.kernel.org Link: https://lore.kernel.org/all/20210907213042.GA22626@openwall.com/ Link: https://lkml.kernel.org/r/20220212221412.GA29214@openwall.com Link: https://lkml.kernel.org/r/20220216155832.680775-1-ebiederm@xmission.com Fixes: 2863643fb8b9 ("set_user: add capability check when rlimit(RLIMIT_NPROC) exceeds") History-Tree: https://git.kernel.org/pub/scm/linux/kernel/git/tglx/history.git Reviewed-by: Solar Designer Signed-off-by: "Eric W. Biederman" Signed-off-by: Greg Kroah-Hartman --- kernel/sys.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) --- a/kernel/sys.c +++ b/kernel/sys.c @@ -480,8 +480,7 @@ static int set_user(struct cred *new) * failure to the execve() stage. */ if (is_ucounts_overlimit(new->ucounts, UCOUNT_RLIMIT_NPROC, rlimit(RLIMIT_NPROC)) && - new_user != INIT_USER && - !capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN)) + new_user != INIT_USER) current->flags |= PF_NPROC_EXCEEDED; else current->flags &= ~PF_NPROC_EXCEEDED;