Received: by 2002:a05:6a10:7420:0:0:0:0 with SMTP id hk32csp4438517pxb; Mon, 21 Feb 2022 21:38:09 -0800 (PST) X-Google-Smtp-Source: ABdhPJxkgjEnaHTZ/54HTOPhcDnfoU4YkVBklY4Gk54ZgIeQWqRcfqPAmgo5kJzCzkB5/cLPj/4D X-Received: by 2002:a17:902:dacd:b0:14f:4e5d:fe0d with SMTP id q13-20020a170902dacd00b0014f4e5dfe0dmr21514773plx.128.1645508288833; Mon, 21 Feb 2022 21:38:08 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1645508288; cv=none; d=google.com; s=arc-20160816; b=Z5CdbvmzXYoco/rOOwhEFItpyI17e3T3s7jYPll8mEBDnQQoz/Dqzbfd7xAecuHfQu HajemPimJEmXUASA08b/wv0sSwqjIwyAPlqO/447mrqprFgT1C0gsfdYJOKM294NSRLn mA5MtzsZkuNsql8AgCFoyL8dQbDNWeYA+ilWUxO/1c/0Ekiez3jQByxIoTFO5vfSD/Sa MlzRtz5ShvZjZ+e7uAd+9NGMdAroD+mNEb/yXjIS89Jop68JHW94mHjDkGolqMmBRI0F gDlquMhsZpNJHbROk0a162ZCtT4OOhsx3OemHhnX263rSHv1D0ghBVfwI9eXjfSzHSL3 5JPQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=8ZPSzar0PdS1+nMA0o7G/eb7839DRPRewOOMR5vw4Mw=; b=JIjsa9nXJQ59J0aZeVmO2cvM61DJaVaOZGrfgjBCHKLNBuYIF+Z4BEUpIO9iQLKmdF Bs28dD7787TYBqO98dLU6ACfLYsVLUguZWOamx2jM7oDTJ/DnHToKsy/ybJ6jbzyehVh 7ZBiENrj0sdZU/eyPjwu8W6lm7Yh58Fj2ZBDjWzl0mTN8HDPFC21YXplIyR89EvGMueY uxDoYnpPeG/5GKFxSBWe+0Dk8IOIogg/UkRiUoltxi47/a9JTW4sJasLbAbYMLi9r71O QlDPfmrngT928Sp8tSEoVid2+f7UXRvS48gONQ2iNW8hUX8dw2yWShTMwyqPBLBNiraf i8ig== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=oJIYTSXo; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id x24si812065plr.195.2022.02.21.21.38.08 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 21 Feb 2022 21:38:08 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=oJIYTSXo; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id C1C429D0C8; Mon, 21 Feb 2022 21:05:24 -0800 (PST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1354131AbiBUKMF (ORCPT + 99 others); Mon, 21 Feb 2022 05:12:05 -0500 Received: from mxb-00190b01.gslb.pphosted.com ([23.128.96.19]:35406 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1352695AbiBUJ40 (ORCPT ); Mon, 21 Feb 2022 04:56:26 -0500 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id AAB2344747; Mon, 21 Feb 2022 01:24:38 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 0C7D561017; Mon, 21 Feb 2022 09:24:38 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id E8756C340E9; Mon, 21 Feb 2022 09:24:36 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1645435477; bh=bVtbcFu1bP+aF7lF8UMTo0RVnvCW+DX0l8LGlJdH/wM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=oJIYTSXobjtoJOeJulURuEbdRLDVf0T8iZQYX19P2eIQzWlpybHVluYQbN8O51bPr xJcDJ5ljHMnzCmo/9Bo3OORtbc32miVr4u5FjqlZmeE+hvs67RP1n4EAzelfNPywfj ESj//tku4DObXOucCpSxK8oco0SiwEJXTLrzk0wU= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Solar Designer , "Eric W. Biederman" Subject: [PATCH 5.16 176/227] rlimit: Fix RLIMIT_NPROC enforcement failure caused by capability calls in set_user Date: Mon, 21 Feb 2022 09:49:55 +0100 Message-Id: <20220221084940.664308892@linuxfoundation.org> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220221084934.836145070@linuxfoundation.org> References: <20220221084934.836145070@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Eric W. Biederman commit c16bdeb5a39ffa3f32b32f812831a2092d2a3061 upstream. Solar Designer wrote: > I'm not aware of anyone actually running into this issue and reporting > it. The systems that I personally know use suexec along with rlimits > still run older/distro kernels, so would not yet be affected. > > So my mention was based on my understanding of how suexec works, and > code review. Specifically, Apache httpd has the setting RLimitNPROC, > which makes it set RLIMIT_NPROC: > > https://httpd.apache.org/docs/2.4/mod/core.html#rlimitnproc > > The above documentation for it includes: > > "This applies to processes forked from Apache httpd children servicing > requests, not the Apache httpd children themselves. This includes CGI > scripts and SSI exec commands, but not any processes forked from the > Apache httpd parent, such as piped logs." > > In code, there are: > > ./modules/generators/mod_cgid.c: ( (cgid_req.limits.limit_nproc_set) && ((rc = apr_procattr_limit_set(procattr, APR_LIMIT_NPROC, > ./modules/generators/mod_cgi.c: ((rc = apr_procattr_limit_set(procattr, APR_LIMIT_NPROC, > ./modules/filters/mod_ext_filter.c: rv = apr_procattr_limit_set(procattr, APR_LIMIT_NPROC, conf->limit_nproc); > > For example, in mod_cgi.c this is in run_cgi_child(). > > I think this means an httpd child sets RLIMIT_NPROC shortly before it > execs suexec, which is a SUID root program. suexec then switches to the > target user and execs the CGI script. > > Before 2863643fb8b9, the setuid() in suexec would set the flag, and the > target user's process count would be checked against RLIMIT_NPROC on > execve(). After 2863643fb8b9, the setuid() in suexec wouldn't set the > flag because setuid() is (naturally) called when the process is still > running as root (thus, has those limits bypass capabilities), and > accordingly execve() would not check the target user's process count > against RLIMIT_NPROC. In commit 2863643fb8b9 ("set_user: add capability check when rlimit(RLIMIT_NPROC) exceeds") capable calls were added to set_user to make it more consistent with fork. Unfortunately because of call site differences those capable calls were checking the credentials of the user before set*id() instead of after set*id(). This breaks enforcement of RLIMIT_NPROC for applications that set the rlimit and then call set*id() while holding a full set of capabilities. The capabilities are only changed in the new credential in security_task_fix_setuid(). The code in apache suexec appears to follow this pattern. Commit 909cc4ae86f3 ("[PATCH] Fix two bugs with process limits (RLIMIT_NPROC)") where this check was added describes the targes of this capability check as: 2/ When a root-owned process (e.g. cgiwrap) sets up process limits and then calls setuid, the setuid should fail if the user would then be running more than rlim_cur[RLIMIT_NPROC] processes, but it doesn't. This patch adds an appropriate test. With this patch, and per-user process limit imposed in cgiwrap really works. So the original use case of this check also appears to match the broken pattern. Restore the enforcement of RLIMIT_NPROC by removing the bad capable checks added in set_user. This unfortunately restores the inconsistent state the code has been in for the last 11 years, but dealing with the inconsistencies looks like a larger problem. Cc: stable@vger.kernel.org Link: https://lore.kernel.org/all/20210907213042.GA22626@openwall.com/ Link: https://lkml.kernel.org/r/20220212221412.GA29214@openwall.com Link: https://lkml.kernel.org/r/20220216155832.680775-1-ebiederm@xmission.com Fixes: 2863643fb8b9 ("set_user: add capability check when rlimit(RLIMIT_NPROC) exceeds") History-Tree: https://git.kernel.org/pub/scm/linux/kernel/git/tglx/history.git Reviewed-by: Solar Designer Signed-off-by: "Eric W. Biederman" Signed-off-by: Greg Kroah-Hartman --- kernel/sys.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) --- a/kernel/sys.c +++ b/kernel/sys.c @@ -480,8 +480,7 @@ static int set_user(struct cred *new) * failure to the execve() stage. */ if (is_ucounts_overlimit(new->ucounts, UCOUNT_RLIMIT_NPROC, rlimit(RLIMIT_NPROC)) && - new_user != INIT_USER && - !capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN)) + new_user != INIT_USER) current->flags |= PF_NPROC_EXCEEDED; else current->flags &= ~PF_NPROC_EXCEEDED;