Received: by 2002:a05:6a10:9afc:0:0:0:0 with SMTP id t28csp1101658pxm;
        Wed, 23 Feb 2022 18:10:48 -0800 (PST)
X-Google-Smtp-Source: ABdhPJxBSHnqL09QFdR5G2vpJ7a3vxRYcpMIQ2wLf4RMSbiCwinIloiSjV22PM7oEMbC0nLuLypj
X-Received: by 2002:a17:903:204c:b0:14f:9a60:1d38 with SMTP id q12-20020a170903204c00b0014f9a601d38mr402438pla.92.1645668648442;
        Wed, 23 Feb 2022 18:10:48 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1645668648; cv=none;
        d=google.com; s=arc-20160816;
        b=ugFlg85lbmjOuLvhiDD7ftV6DWDu3BzlKt83XR+SQVOjIxAZapcr02yRzLF/byRIY/
         gJoqFtDGodT1tR2WI+fgrDW6ne1+eem6mycnk7Pk5FpRDiGRGXSwlTK8rhVSvF6HrrTI
         g1qD3AVd09bRHZhjfMGdKfnKOD0GsLg0JkGjHPAUfJhw0VCkj4JApkW9eUEj/5cLlsD7
         /cNvxBK2oH6RLCoS4jyN01yoQjOxxiFvIxe8gY+23rdwMTKPfs3kBBG9neJ1JpWDmBdh
         oq6XSwzTje6VQf7d57w+5HQTA2OHjIa9JHTvUZQHpaWUBeqH8GkkB2hJ7iTAYyw4fw50
         TZkQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to
         :references:mime-version:dkim-signature;
        bh=V0FFBkvIcjFMOM0hqUZNjmDF0t+Ha0Kl81ed03YkD3w=;
        b=GP2y1BGfPEaeTlz5yrY2Gdgh4MStLHn9ZMboBjuzn1OVJ/YXEwapxk1sguby0YhPO0
         vOjpHPOqga3ZIggmyUmaQJGh29gals8p3eNRNUyy96P0Oz6XoQREiB2UjFllTDddwNge
         8l+p4OfrEHkV5NcJU+zamSU7Six5aLC4CueuG0cK9jTgL4caurbrvczYONoFXqv+8qYL
         AOczXB0XHS4yzq/USpuF1HkROMgg5gtrmSCoYckTqy+2RajwStsGZ7pVMUyC2iiS+yT6
         coV4WyQ5H9k8eeTrdKpxfQN3mPt6My6WBwhr0rSj7C3QfH7kKrIMgEsuto7GMPFwDmX9
         oxaQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@torvalds.org header.s=google header.b=GFTM2OY9;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18])
        by mx.google.com with ESMTPS id y6si1414073plg.343.2022.02.23.18.10.48
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 23 Feb 2022 18:10:48 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@torvalds.org header.s=google header.b=GFTM2OY9;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by lindbergh.monkeyblade.net (Postfix) with ESMTP id D472B77AB3;
	Wed, 23 Feb 2022 17:42:08 -0800 (PST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S229718AbiBXBmd (ORCPT <rfc822;android.linux@gmail.com>
        + 99 others); Wed, 23 Feb 2022 20:42:33 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44392 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229701AbiBXBm2 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 23 Feb 2022 20:42:28 -0500
Received: from mail-lf1-x12c.google.com (mail-lf1-x12c.google.com [IPv6:2a00:1450:4864:20::12c])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id EBBE260ABF
        for <linux-kernel@vger.kernel.org>; Wed, 23 Feb 2022 17:41:58 -0800 (PST)
Received: by mail-lf1-x12c.google.com with SMTP id y24so1385985lfg.1
        for <linux-kernel@vger.kernel.org>; Wed, 23 Feb 2022 17:41:58 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=torvalds.org; s=google;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=V0FFBkvIcjFMOM0hqUZNjmDF0t+Ha0Kl81ed03YkD3w=;
        b=GFTM2OY9vWIE39i8WbpocEunkuGykh61viUOA48wsUSJffRZoZlqa5icjLYhxM3N+m
         DKb9PvkkIZn5iYFbTaqaXYOIv7wagx+TBn+qjRDwmj0eY8Dliq8aLNw02KfWObzbcyQ/
         4rNhuNeMr4UAGG+y8fPMgvU7IgR711a1AM7IOJj07uM1WtLcRDXCrrGdLdr7qxs+tDmK
         8QwvhC3Z7oK33d06ETfSjgfhoDAQ4nWVZI/AM9EEk6a+ylMTMo8IiFcerUWNREyKfDVm
         LIu84/FrGcky24qdwdKZfwBBil//MBUS7mgm21lImxN/1SYkkrAS7jhBVSk/149bXMyA
         gFfw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=V0FFBkvIcjFMOM0hqUZNjmDF0t+Ha0Kl81ed03YkD3w=;
        b=dWly1pMxNT1rbfHrHsoCzxVHpOJHTUV1UwFAIHEVzRQNm6YPUsn1yzMmdRC+44xc0Y
         0Swl5QuYC9jkvEMUwSSHBN1exAKA6ivBICHRmZhgqFVNI40vemoia7LY5osrp1YchLRx
         qRY4O4QxDelIfQH50slCQm7+/fvrO4TN5GERcsj4MR70NMvyAJMtjrTHz47ftfKqNyZS
         GMzhF2NHJjn77KZuEQTHlyEh+Me+OREK1vPEFR+/lypHraWm0yBZ0OyLxSajQcUKyndv
         KtFRxAoREK9w4mPMQN5qYd6SuqM4QWSyeEjcxVyd6YlFGxPC8+nSS6Y28YCoGfS5ww5h
         S1pQ==
X-Gm-Message-State: AOAM530DppI8cpD3pJd+PQ4oNqnzwMCBsTQeYvZpJczNIlXdSsbSPoxM
        e+u9QncirCj9JjbmPxxqZZgjLmvucdNSV9tI27YE2Q==
X-Received: by 2002:ac2:4d91:0:b0:443:127b:558a with SMTP id
 g17-20020ac24d91000000b00443127b558amr363692lfe.542.1645666917210; Wed, 23
 Feb 2022 17:41:57 -0800 (PST)
MIME-Version: 1.0
References: <20220207121800.5079-1-mkoutny@suse.com> <e9589141-cfeb-90cd-2d0e-83a62787239a@edechamps.fr>
 <20220215101150.GD21589@blackbody.suse.cz> <87zgmi5rhm.fsf@email.froward.int.ebiederm.org>
 <87fso91n0v.fsf_-_@email.froward.int.ebiederm.org> <CAHk-=wjX3VK8QRMDUWwigCTKdHJt0ESXh0Hy5HNaXf7YkEdCAA@mail.gmail.com>
 <878ru1qcos.fsf@email.froward.int.ebiederm.org>
In-Reply-To: <878ru1qcos.fsf@email.froward.int.ebiederm.org>
From:   Linus Torvalds <linus@torvalds.org>
Date:   Wed, 23 Feb 2022 17:41:41 -0800
Message-ID: <CAHk-=wgW8+vmqhx4t+uFiZL==8Ac5VWTqCm_oshA0e47B73qPw@mail.gmail.com>
Subject: Re: How should rlimits, suid exec, and capabilities interact?
To:     "Eric W. Biederman" <ebiederm@xmission.com>
Cc:     Linux API <linux-api@vger.kernel.org>,
        Etienne Dechamps <etienne@edechamps.fr>,
        Alexey Gladkov <legion@kernel.org>,
        Kees Cook <keescook@chromium.org>,
        Shuah Khan <shuah@kernel.org>,
        Christian Brauner <brauner@kernel.org>,
        Solar Designer <solar@openwall.com>,
        Ran Xiaokai <ran.xiaokai@zte.com.cn>,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
        "open list:KERNEL SELFTEST FRAMEWORK" 
        <linux-kselftest@vger.kernel.org>,
        Linux Containers <containers@lists.linux-foundation.org>,
        =?UTF-8?Q?Michal_Koutn=C3=BD?= <mkoutny@suse.com>,
        Security Officers <security@kernel.org>,
        Neil Brown <neilb@cse.unsw.edu.au>, NeilBrown <neilb@suse.de>,
        "Serge E. Hallyn" <serge@hallyn.com>, Jann Horn <jannh@google.com>,
        Andy Lutomirski <luto@kernel.org>, Willy Tarreau <w@1wt.eu>
Content-Type: text/plain; charset="UTF-8"
X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,
	MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE
	autolearn=no autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
	lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, Feb 23, 2022 at 5:24 PM Eric W. Biederman <ebiederm@xmission.com> wrote:
>
> Question: Running a suid program today charges the activity of that
> program to the user who ran that program, not to the user the program
> runs as.  Does anyone see a problem with charging the user the program
> runs as?

So I think that there's actually two independent issues with limits
when you have situations like this where the actual user might be
ambiguous.

 - the "who to charge" question

 - the "how do we *check* the limit" question

and honestly, I think that when it comes to suid binaries, the first
question is fundamentally ambiguous, because it almost certainly
depends on the user.

Which to me implies that there probably isn't an answer that is always
right, and that what you should look at is that second option.

So I would actually suggest that the "execute a suid binary" should
charge the real user, but *because* it is suid, it should then not
check the limit (or, perhaps, should check the hard limit?).

You have to charge somebody, but at that point it's a bit ambiguous
whether it should be allowed.

Exactly so that if you're over a process limit (or something similar -
think "too many files open" or whatever because you screwed up and
opened everything) you could still log in as yourself (ssh/login
charges some admin thing, which probably has high limits or is
unlimited), and hopefully get shell access, and then be able to "exec
sudo" to actually get admin access that should be disabled from the
network.

The above is just one (traditional) example of a fork/open bomb case
where a user isn't really able to no longer function as himself, but
wants to fix things (maybe the user has another terminal open, but
then he can hopefully use a shell-buiiltin 'kill' instead).

And I'm not saying it's "the thing that needs to work". I'm more
making up an example.

So I'm only saying that the above actually has two examples to the two
sides of the coin: "login" lowering privileges to a user that may be
over some limit - and succeeding despite that - and 'suid' succeeding
despite the original user perhaps being over-committed.

So it's intended exactly as an example of "picking the new or the old
user would be wrong in either case if you check limits at the
transition point".

Hmm?

            Linus