From: "Jürg Billeter" <j@bitron.ch>
To: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Andrew Morton <akpm@linux-foundation.org>,
Oleg Nesterov <oleg@redhat.com>,
Linus Torvalds <torvalds@linux-foundation.org>,
Michael Kerrisk <mtk.manpages@gmail.com>,
Filipe Brandenburger <filbranden@google.com>,
David Wilcox <davidvsthegiant@gmail.com>,
hansecke@gmail.com, linux-kernel@vger.kernel.org
Subject: Re: [RESEND PATCH] prctl: add PR_[GS]ET_PDEATHSIG_PROC
Date: Tue, 03 Oct 2017 19:47:14 +0200 [thread overview]
Message-ID: <1507052834.19102.53.camel@bitron.ch> (raw)
In-Reply-To: <8760bwb04k.fsf@xmission.com>
On Tue, 2017-10-03 at 12:40 -0500, Eric W. Biederman wrote:
> Jürg Billeter <j@bitron.ch> writes:
> > What's actually the reason that CLONE_NEWPID requires CAP_SYS_ADMIN?
> > Does CLONE_NEWPID pose any risks that don't exist for
> > CLONE_NEWUSER|CLONE_NEWPID? Assuming we can't simply drop the
> > CAP_SYS_ADMIN requirement, do you see a better solution for this use
> > case?
>
> CLONE_NEWPID without a permission check would allow runing a setuid root
> application in a pid namespace. Off the top of my head I can't think of
> a really good exploit. But when you mess up pid files, and hide
> information from a privileged application I can completely imagine
> forcing that application to misbehave in ways the attacker can control.
> Leading to bad things.
Could we allow unprivileged CLONE_NEWPID if the no_new_privs bit is
set?
Jürg
next prev parent reply other threads:[~2017-10-03 17:47 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-09-09 9:40 [PATCH] prctl: add PR_[GS]ET_PDEATHSIG_PROC Jürg Billeter
2017-09-12 17:05 ` Oleg Nesterov
2017-09-12 18:54 ` Jürg Billeter
2017-09-13 17:11 ` Oleg Nesterov
2017-09-13 17:26 ` Jürg Billeter
2017-09-13 17:48 ` Oleg Nesterov
2017-09-29 12:30 ` [RESEND PATCH] " Jürg Billeter
2017-10-02 23:20 ` Andrew Morton
2017-10-03 3:25 ` Eric W. Biederman
2017-10-03 6:45 ` Jürg Billeter
2017-10-03 14:46 ` Eric W. Biederman
2017-10-03 16:10 ` Linus Torvalds
2017-10-03 16:36 ` Eric W. Biederman
2017-10-03 17:02 ` Linus Torvalds
2017-10-03 19:30 ` Eric W. Biederman
2017-10-03 20:02 ` Linus Torvalds
2017-10-03 20:32 ` Eric W. Biederman
2017-10-03 17:00 ` Jürg Billeter
2017-10-03 17:40 ` Eric W. Biederman
2017-10-03 17:47 ` Jürg Billeter [this message]
2017-10-03 19:05 ` Eric W. Biederman
2017-10-05 16:27 ` Oleg Nesterov
2017-10-08 17:47 ` Jürg Billeter
2017-10-09 16:32 ` Eric W. Biederman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1507052834.19102.53.camel@bitron.ch \
--to=j@bitron.ch \
--cc=akpm@linux-foundation.org \
--cc=davidvsthegiant@gmail.com \
--cc=ebiederm@xmission.com \
--cc=filbranden@google.com \
--cc=hansecke@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mtk.manpages@gmail.com \
--cc=oleg@redhat.com \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.