Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754824AbYLBXz6 (ORCPT ); Tue, 2 Dec 2008 18:55:58 -0500 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1753016AbYLBXzu (ORCPT ); Tue, 2 Dec 2008 18:55:50 -0500 Received: from vvps-124.rabidhost.com ([208.43.196.46]:38582 "EHLO mail.rabidhost.com" rhost-flags-OK-FAIL-OK-FAIL) by vger.kernel.org with ESMTP id S1752704AbYLBXzt (ORCPT ); Tue, 2 Dec 2008 18:55:49 -0500 X-Greylist: delayed 1640 seconds by postgrey-1.27 at vger.kernel.org; Tue, 02 Dec 2008 18:55:49 EST Subject: New Security Features, Please Comment From: Geoffrey McRae To: linux-kernel@vger.kernel.org Cc: Geoffrey McRae Content-Type: text/plain Date: Wed, 03 Dec 2008 10:28:14 +1100 Message-Id: <1228260494.24232.21.camel@compy.ivent.com.au> Mime-Version: 1.0 X-Mailer: Evolution 2.24.1 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 3394 Lines: 95 This is my first patch to the linux kernel, so please forgive me if I have broken any posting rules. Also, I am not on the mailing list, so please CC me on any replies to this. A side note before I start, the links to the linux howtos on the mailing list info page are broken, someone might want to fix that. I posted a message in linux-api yesterday regarding this, but had no responses. At this point I am looking for comments regarding these new syscalls and the likelyhood of having this patch applied. As the engineer for a web hosting company I have seen the need for grater control over a processes uid/gid. Currently with shared virtual hosting solutions, if for security we wish to run a shared CGI language (such as PHP) as the user that owns the website we are forced to fork a new process per request, then call setuid/gid and then launch the script language. This ofcource is resource intensive, but at present there is no other solution. My patch adds four new syscalls to the kernel that allows this issue to be overcome, and I am sure that it could find application in many other programs. The syscalls are: * long enable_setpresuid(uid_t start, uid_t end); This function enables the use of the setpresuid call for the calling process, the calling process has to have CAP_SETUID permission to call this function. The start and end parameters specify the uid range that the setpresuid must be called with. * long enable_setpresgid(gid_t start, gid_t end); This function is the same as above, except it enables the setpresgid call for the specified gid range. * long setpresuid(pid_t pid, uid_t ruid, uid_t euid, uid_t suid); This function changes the specified IMMEDIATE child pid's real, saved and effective uid to the specified uid. Returns -EPERM if the enable_setpresuid call has not been made first. * long setpresgid(pid_t pid, gid_t rgid, gid_t egid, gid_t sgid); This function does the same as above, except it applies to the group of the IMMEDIATE child. The reason for the enable functions is so that the calling app can drop root privlages after enabling the setpresuid/setpresgid for a certian range of uid/gid numbers. This allows the parent process to change its child processes (forked) uid/gid at any time without needing root access while being secure so that it can not set its child processes to users such as root. An example of its usage follows... int main() { pid_t child; /* enable the setpres* functions for ids 1000-9999 */ enable_setpresuid(1000, 9999); enable_setpresgid(1000, 9999); /* drop to an un-privlaged user */ setresuid(65534, 65534, 65534); /* fork a useless child for example sake */ child = fork(); if (child == 0) { sleep(10); return 0; } /* change the childs uid/gid to 1000 */ setpresuid(child, 1000, 1000, 1000); setpresgid(child, 1000, 1000, 1000); /* wait for the child to terminate */ wait(NULL); return 0; } For the patch and a bit more information please goto: http://www.spacevs.com/rambles/setuid2.php Even though not stated on the website, this code is released under whatever licence is needed to get it into the kernel. -Geoffrey McRae -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/