From: Jeff Dike <jdike@addtoit.com>
To: Zach Brown <zach.brown@oracle.com>
Cc: Ingo Molnar <mingo@elte.hu>, LKML <linux-kernel@vger.kernel.org>
Subject: Re: Syslets, signals, and security
Date: Mon, 4 Jun 2007 15:13:49 -0400 [thread overview]
Message-ID: <20070604191349.GA8903@c2.user-mode-linux.org> (raw)
In-Reply-To: <20070604174542.GD29201@mami.zabbo.net>
On Mon, Jun 04, 2007 at 10:45:42AM -0700, Zach Brown wrote:
> > Second, security. What happens if a well-written server starts life
> > as root, does some (async) I/O, and setuids to a non-root uid? There
> > will be a bunch of async threads still running as root, with the
> > result that async operations (and the main thread) will more than
> > occassionally regain root privs.
> One can imagine all sorts of crazy schemes which let us only shoot down
> waiting async threads which were cloned before state in the submitting
> task_struct was changed. Maybe we could swallow increasing a counter in
> task_struct each time we change one of these sensitive fields (fsuid,
> etc), but I bet the maintenance burden of anything more fine grained
> than that would get pretty excessive.
How about splitting the credentials out of the task_struct and making
them sharable ala ->mm et al? You change uid there and it changes for
everyone. It will make fork slightly more expensive though.
> Yeah, and I'm blissfully ignorant of ptrace. Imagine me skipping
> through a field of daisies with some ptrace wolves hiding in the bushes
> at the edge of the meadow. La la la.
Heh, I'm somewhat less ignorant of ptrace, so I'll see if I can help
out there.
> Each execution context having its own task struct is intentional, very
> much so. Remember, this started with the fibrils patch series which
> indeed shared a single task struct amongst a set of running stacks and
> thread infos, etc. This approach is invasive because it changes the
> sleeping entity in the scheduler from a task struct to some new
> construct which has a many to one mapping to the task struct. It
> touches vast amounts of code. This approach is also risky because it
> introduces concurrent access to the task struct. That's a pretty big
> auditing burden.
Yeah, I realize that, but have no idea how much code that requires
looking at.
> Have you looked at how the fibrils stuff did it? It's a lot more work
> than it seems like it should be, on first glance. You start to modify
> things and every few days you trip across another fundamental kernel
> construct which needs to be modified :/.
>
> http://lwn.net/Articles/219954/
Ah, I somehow missed this. Since you seem to have explored that area
of the solution space already and found it wanting, I agree that it
makes sense to see if syslets can be made to work.
Jeff
--
Work email - jdike at linux dot intel dot com
next prev parent reply other threads:[~2007-06-04 19:22 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-06-04 16:31 Syslets, signals, and security Jeff Dike
2007-06-04 17:16 ` Ulrich Drepper
2007-06-04 17:45 ` Zach Brown
2007-06-04 19:13 ` Jeff Dike [this message]
2007-06-04 20:57 ` Andi Kleen
2007-06-04 22:44 ` Alan Cox
2007-06-05 11:11 ` Andi Kleen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20070604191349.GA8903@c2.user-mode-linux.org \
--to=jdike@addtoit.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@elte.hu \
--cc=zach.brown@oracle.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.