Received: by 2002:a05:6a10:2726:0:0:0:0 with SMTP id ib38csp1007822pxb; Wed, 6 Apr 2022 06:35:14 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxU4A/pKeXUFn0JphZ3+qtIAJCzHKihvgiMMh4+jhJL+f8Xk8q7QaOdaSwmVPLydFsygdQX X-Received: by 2002:a17:902:7247:b0:156:9d3d:756d with SMTP id c7-20020a170902724700b001569d3d756dmr8882563pll.6.1649252114293; Wed, 06 Apr 2022 06:35:14 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1649252114; cv=none; d=google.com; s=arc-20160816; b=o6iFEtPH2O8/KM4kalELw+zB79aECYKzlDlYErfz7OyXpr4827NrVEFBzuKA+H3gB+ EMLx7Jy+K/q5LY4/S1YhsTYaZCbwcE+0aeYouc1XGBebxWYr2fvDJwutzBSwbIXxTnyR FWrZFxx3MmXV+BNMv0lheeXmu7mTEQiJTMsNEsTBaIQKvU2aGj2SLRGa4HHgtjcDHVtd v8xf7BWBH6bAYLFQCEV1TYK+1+zO2Jo9PW2vnB4Difn+gJiX762zzgqx2I+0PxK9pyxP z4T+3Rc4vtE4+aHXwe24VsLCnELIUjYL79pwVBvpdu4ikEeSiQ/JfUKG31TQbke/OpQ/ AVDg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date; bh=Nn4v+M2q19O6e4mnh9oIPJgD5dIehDlELfqHUP2K17g=; b=LkpcZAPfL+YciOkpbxgzqDUEMIcpyBZ3QV16p/RzLYV74XoluI2jj6TbrLVgOh04rE 8wl6kKyboMdRlyvWu8P6lF2D9/Xf48uhzZQ4U4iPbWAp2A8VzEkmIa9N983JWzIpzwSq 5JEHr4T5O2dol1seBHh7hsW5t8DomFkCbkDk9Gs9xeM6w6M3XHPmYBtpCYXWsBLA6sv/ ioRk8M/rndeIzNFjBWyvmrKg2FLmDPkh+UQxwLbDp/tz2zFfpVq335h39nNsZFvRB+83 lVSUIahh3+KKEfYkZG8i5kcRpEKU2Cpb8mVAEX2C5cdu1jspzbMeE0oejCO6ASO8arRc EFuA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=mit.edu Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id q7-20020a056a00088700b004fac74c990fsi8603622pfj.366.2022.04.06.06.35.10 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 06 Apr 2022 06:35:14 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=mit.edu Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 4306F5D61FB; Wed, 6 Apr 2022 04:15:05 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1850253AbiDFCsM (ORCPT + 99 others); Tue, 5 Apr 2022 22:48:12 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48800 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1585626AbiDFAAG (ORCPT ); Tue, 5 Apr 2022 20:00:06 -0400 Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8FB4B5DE40; Tue, 5 Apr 2022 15:22:11 -0700 (PDT) Received: from cwcc.thunk.org (pool-108-7-220-252.bstnma.fios.verizon.net [108.7.220.252]) (authenticated bits=0) (User authenticated as tytso@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 235MLeah002791 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 5 Apr 2022 18:21:40 -0400 Received: by cwcc.thunk.org (Postfix, from userid 15806) id DFA5915C3EB6; Tue, 5 Apr 2022 18:21:39 -0400 (EDT) Date: Tue, 5 Apr 2022 18:21:39 -0400 From: "Theodore Ts'o" To: Linus Torvalds Cc: Kees Cook , =?iso-8859-1?Q?Micka=EBl_Sala=FCn?= , Al Viro , Andrew Morton , Christian Heimes , Geert Uytterhoeven , James Morris , Luis Chamberlain , Mimi Zohar , Muhammad Usama Anjum , Paul Moore , Philippe =?iso-8859-1?Q?Tr=E9buchet?= , Shuah Khan , Steve Dower , Thibaut Sautereau , Vincent Strubel , linux-fsdevel , linux-integrity , Linux Kernel Mailing List , LSM List , Christian Brauner Subject: Re: [GIT PULL] Add trusted_for(2) (was O_MAYEXEC) Message-ID: References: <20220321161557.495388-1-mic@digikod.net> <202204041130.F649632@keescook> <816667d8-2a6c-6334-94a4-6127699d4144@digikod.net> <202204041451.CC4F6BF@keescook> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RDNS_NONE, SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Apr 04, 2022 at 04:26:44PM -0700, Linus Torvalds wrote: > > > (a) "what about suid bits that user space cannot react to" > > > > What do you mean here? Do you mean setid bits on the file itself? > > Right. > > Maybe we don't care. > > Maybe we do. > > Is the user-space loader going to honor them? Is it going to ignore > them? I don't know. And it actually interacts with things like > 'nosuid', which the kernel does know about, and user space has a hard > time figuring out. So there *used* to be suidperl which was a setuid version of perl with some extra security checks. (See [1] for more details.) The suidperl binary would be used by #!/usr/bin/perl so it could honor setuid bits on perl scripts, but it was deprecated in Perl 5.8 and removed in Perl 5.12 in 2010[2]. [1] https://mattmccutchen.net/suidperl.html [2] https://metacpan.org/release/SHAY/perl-5.20.2/view/pod/perl5120delta.pod#Deprecations So it's possible that the user-space loader might try to honor them, and if there was such an example "in the field", it might be nice if there was a way for the kernel to advise userspace about the nosuid. But I'm not aware of any other shell script interpreter that tried do what perl did with suidperl. > So if the point is "give me an interface so that I can do the same > thing a kernel execve() loader would do", then those sgid/suid bits > actually may be exactly the kind of thing that user space wants the > kernel to react to - should it ignore them, or should it do something > special when it sees that they are set? > > I'm not saying that they *should* be something we care about. All I'm > saying is that I want that *discussion* to happen. I'm not convinced we should. I suppose *if* the shell script was suid, *and* the file system was mounted nosuid, then the check could return false, and that would be mostly harmless even if the script interpreter didn't support setuid. But it's extra complexity, and in theory it could break a setuid script, where the setuid bit was previously a no-op, and it now might cause a problem for that user. - Ted