Received: by 2002:a05:6a10:9afc:0:0:0:0 with SMTP id t28csp1101658pxm; Wed, 23 Feb 2022 18:10:48 -0800 (PST) X-Google-Smtp-Source: ABdhPJxBSHnqL09QFdR5G2vpJ7a3vxRYcpMIQ2wLf4RMSbiCwinIloiSjV22PM7oEMbC0nLuLypj X-Received: by 2002:a17:903:204c:b0:14f:9a60:1d38 with SMTP id q12-20020a170903204c00b0014f9a601d38mr402438pla.92.1645668648442; Wed, 23 Feb 2022 18:10:48 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1645668648; cv=none; d=google.com; s=arc-20160816; b=ugFlg85lbmjOuLvhiDD7ftV6DWDu3BzlKt83XR+SQVOjIxAZapcr02yRzLF/byRIY/ gJoqFtDGodT1tR2WI+fgrDW6ne1+eem6mycnk7Pk5FpRDiGRGXSwlTK8rhVSvF6HrrTI g1qD3AVd09bRHZhjfMGdKfnKOD0GsLg0JkGjHPAUfJhw0VCkj4JApkW9eUEj/5cLlsD7 /cNvxBK2oH6RLCoS4jyN01yoQjOxxiFvIxe8gY+23rdwMTKPfs3kBBG9neJ1JpWDmBdh oq6XSwzTje6VQf7d57w+5HQTA2OHjIa9JHTvUZQHpaWUBeqH8GkkB2hJ7iTAYyw4fw50 TZkQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=V0FFBkvIcjFMOM0hqUZNjmDF0t+Ha0Kl81ed03YkD3w=; b=GP2y1BGfPEaeTlz5yrY2Gdgh4MStLHn9ZMboBjuzn1OVJ/YXEwapxk1sguby0YhPO0 vOjpHPOqga3ZIggmyUmaQJGh29gals8p3eNRNUyy96P0Oz6XoQREiB2UjFllTDddwNge 8l+p4OfrEHkV5NcJU+zamSU7Six5aLC4CueuG0cK9jTgL4caurbrvczYONoFXqv+8qYL AOczXB0XHS4yzq/USpuF1HkROMgg5gtrmSCoYckTqy+2RajwStsGZ7pVMUyC2iiS+yT6 coV4WyQ5H9k8eeTrdKpxfQN3mPt6My6WBwhr0rSj7C3QfH7kKrIMgEsuto7GMPFwDmX9 oxaQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@torvalds.org header.s=google header.b=GFTM2OY9; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id y6si1414073plg.343.2022.02.23.18.10.48 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 23 Feb 2022 18:10:48 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; dkim=pass header.i=@torvalds.org header.s=google header.b=GFTM2OY9; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id D472B77AB3; Wed, 23 Feb 2022 17:42:08 -0800 (PST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229718AbiBXBmd (ORCPT + 99 others); Wed, 23 Feb 2022 20:42:33 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44392 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229701AbiBXBm2 (ORCPT ); Wed, 23 Feb 2022 20:42:28 -0500 Received: from mail-lf1-x12c.google.com (mail-lf1-x12c.google.com [IPv6:2a00:1450:4864:20::12c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id EBBE260ABF for ; Wed, 23 Feb 2022 17:41:58 -0800 (PST) Received: by mail-lf1-x12c.google.com with SMTP id y24so1385985lfg.1 for ; Wed, 23 Feb 2022 17:41:58 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=torvalds.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=V0FFBkvIcjFMOM0hqUZNjmDF0t+Ha0Kl81ed03YkD3w=; b=GFTM2OY9vWIE39i8WbpocEunkuGykh61viUOA48wsUSJffRZoZlqa5icjLYhxM3N+m DKb9PvkkIZn5iYFbTaqaXYOIv7wagx+TBn+qjRDwmj0eY8Dliq8aLNw02KfWObzbcyQ/ 4rNhuNeMr4UAGG+y8fPMgvU7IgR711a1AM7IOJj07uM1WtLcRDXCrrGdLdr7qxs+tDmK 8QwvhC3Z7oK33d06ETfSjgfhoDAQ4nWVZI/AM9EEk6a+ylMTMo8IiFcerUWNREyKfDVm LIu84/FrGcky24qdwdKZfwBBil//MBUS7mgm21lImxN/1SYkkrAS7jhBVSk/149bXMyA gFfw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=V0FFBkvIcjFMOM0hqUZNjmDF0t+Ha0Kl81ed03YkD3w=; b=dWly1pMxNT1rbfHrHsoCzxVHpOJHTUV1UwFAIHEVzRQNm6YPUsn1yzMmdRC+44xc0Y 0Swl5QuYC9jkvEMUwSSHBN1exAKA6ivBICHRmZhgqFVNI40vemoia7LY5osrp1YchLRx qRY4O4QxDelIfQH50slCQm7+/fvrO4TN5GERcsj4MR70NMvyAJMtjrTHz47ftfKqNyZS GMzhF2NHJjn77KZuEQTHlyEh+Me+OREK1vPEFR+/lypHraWm0yBZ0OyLxSajQcUKyndv KtFRxAoREK9w4mPMQN5qYd6SuqM4QWSyeEjcxVyd6YlFGxPC8+nSS6Y28YCoGfS5ww5h S1pQ== X-Gm-Message-State: AOAM530DppI8cpD3pJd+PQ4oNqnzwMCBsTQeYvZpJczNIlXdSsbSPoxM e+u9QncirCj9JjbmPxxqZZgjLmvucdNSV9tI27YE2Q== X-Received: by 2002:ac2:4d91:0:b0:443:127b:558a with SMTP id g17-20020ac24d91000000b00443127b558amr363692lfe.542.1645666917210; Wed, 23 Feb 2022 17:41:57 -0800 (PST) MIME-Version: 1.0 References: <20220207121800.5079-1-mkoutny@suse.com> <20220215101150.GD21589@blackbody.suse.cz> <87zgmi5rhm.fsf@email.froward.int.ebiederm.org> <87fso91n0v.fsf_-_@email.froward.int.ebiederm.org> <878ru1qcos.fsf@email.froward.int.ebiederm.org> In-Reply-To: <878ru1qcos.fsf@email.froward.int.ebiederm.org> From: Linus Torvalds Date: Wed, 23 Feb 2022 17:41:41 -0800 Message-ID: Subject: Re: How should rlimits, suid exec, and capabilities interact? To: "Eric W. Biederman" Cc: Linux API , Etienne Dechamps , Alexey Gladkov , Kees Cook , Shuah Khan , Christian Brauner , Solar Designer , Ran Xiaokai , Linux Kernel Mailing List , "open list:KERNEL SELFTEST FRAMEWORK" , Linux Containers , =?UTF-8?Q?Michal_Koutn=C3=BD?= , Security Officers , Neil Brown , NeilBrown , "Serge E. Hallyn" , Jann Horn , Andy Lutomirski , Willy Tarreau Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Feb 23, 2022 at 5:24 PM Eric W. Biederman wrote: > > Question: Running a suid program today charges the activity of that > program to the user who ran that program, not to the user the program > runs as. Does anyone see a problem with charging the user the program > runs as? So I think that there's actually two independent issues with limits when you have situations like this where the actual user might be ambiguous. - the "who to charge" question - the "how do we *check* the limit" question and honestly, I think that when it comes to suid binaries, the first question is fundamentally ambiguous, because it almost certainly depends on the user. Which to me implies that there probably isn't an answer that is always right, and that what you should look at is that second option. So I would actually suggest that the "execute a suid binary" should charge the real user, but *because* it is suid, it should then not check the limit (or, perhaps, should check the hard limit?). You have to charge somebody, but at that point it's a bit ambiguous whether it should be allowed. Exactly so that if you're over a process limit (or something similar - think "too many files open" or whatever because you screwed up and opened everything) you could still log in as yourself (ssh/login charges some admin thing, which probably has high limits or is unlimited), and hopefully get shell access, and then be able to "exec sudo" to actually get admin access that should be disabled from the network. The above is just one (traditional) example of a fork/open bomb case where a user isn't really able to no longer function as himself, but wants to fix things (maybe the user has another terminal open, but then he can hopefully use a shell-buiiltin 'kill' instead). And I'm not saying it's "the thing that needs to work". I'm more making up an example. So I'm only saying that the above actually has two examples to the two sides of the coin: "login" lowering privileges to a user that may be over some limit - and succeeding despite that - and 'suid' succeeding despite the original user perhaps being over-committed. So it's intended exactly as an example of "picking the new or the old user would be wrong in either case if you check limits at the transition point". Hmm? Linus