From: Josh Triplett <josh-iaAMLnmF4UmaiuxdJuQwMA@public.gmane.org>
To: "Eric W. Biederman" <ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
Cc: Andrew Morton
<akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org>,
Kees Cook <keescook-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>,
mtk.manpages-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org,
linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
linux-man-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
Subject: Re: [PATCH 2/2] groups: Allow unprivileged processes to use setgroups to drop groups
Date: Sat, 15 Nov 2014 11:29:25 -0800 [thread overview]
Message-ID: <20141115192924.GB19060@thin> (raw)
In-Reply-To: <87d28osceg.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
On Sat, Nov 15, 2014 at 09:37:27AM -0600, Eric W. Biederman wrote:
> Josh Triplett <josh-iaAMLnmF4UmaiuxdJuQwMA@public.gmane.org> writes:
>
> > Currently, unprivileged processes (without CAP_SETGID) cannot call
> > setgroups at all. In particular, processes with a set of supplementary
> > groups cannot further drop permissions without obtaining elevated
> > permissions first.
> >
> > Allow unprivileged processes to call setgroups with a subset of their
> > current groups; only require CAP_SETGID to add a group the process does
> > not currently have.
>
> A couple of questions.
> - Is there precedence in other unix flavors for this?
I found a few references to now-nonexistent pages at MIT about a system
with this property, but other than that no.
I've also found more than a few references to people wanting this
functionality.
> - What motiviates this change?
I have a series of patches planned to add more ways to drop elevated
privileges without requiring a transition through root to do so. That
would improve the ability for unprivileged users to run programs
sandboxed with even *less* privileges. (Among other things, that would
also allow programs running with no_new_privs to further *reduce* their
privileges, which they can't currently do in this case.)
> - Have you looked to see if anything might for bug compatibilty
> require applications not to be able to drop supplementary groups?
I haven't found any such case; that doesn't mean such a case does not
exist. Feedback welcome.
The only case I can think of (and I don't know of any examples of such a
system): some kind of quota system that limits the members of a group to
a certain amount of storage, but places no such limit on non-members.
However, the idea of *holding* a credential (a supplementary group ID)
giving *less* privileges, and *dropping* a credential giving *more*
privileges, would completely invert normal security models. (The sane
way to design such a system would be to have a privileged group for
"users who can exceed the quota".)
If it turns out that a real case exists that people care about, I could
easily make this configurable, either at compile time or via a sysctl.
- Josh Triplett
WARNING: multiple messages have this Message-ID (diff)
From: Josh Triplett <josh@joshtriplett.org>
To: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Andrew Morton <akpm@linux-foundation.org>,
Kees Cook <keescook@chromium.org>,
mtk.manpages@gmail.com, linux-api@vger.kernel.org,
linux-man@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH 2/2] groups: Allow unprivileged processes to use setgroups to drop groups
Date: Sat, 15 Nov 2014 11:29:25 -0800 [thread overview]
Message-ID: <20141115192924.GB19060@thin> (raw)
In-Reply-To: <87d28osceg.fsf@x220.int.ebiederm.org>
On Sat, Nov 15, 2014 at 09:37:27AM -0600, Eric W. Biederman wrote:
> Josh Triplett <josh@joshtriplett.org> writes:
>
> > Currently, unprivileged processes (without CAP_SETGID) cannot call
> > setgroups at all. In particular, processes with a set of supplementary
> > groups cannot further drop permissions without obtaining elevated
> > permissions first.
> >
> > Allow unprivileged processes to call setgroups with a subset of their
> > current groups; only require CAP_SETGID to add a group the process does
> > not currently have.
>
> A couple of questions.
> - Is there precedence in other unix flavors for this?
I found a few references to now-nonexistent pages at MIT about a system
with this property, but other than that no.
I've also found more than a few references to people wanting this
functionality.
> - What motiviates this change?
I have a series of patches planned to add more ways to drop elevated
privileges without requiring a transition through root to do so. That
would improve the ability for unprivileged users to run programs
sandboxed with even *less* privileges. (Among other things, that would
also allow programs running with no_new_privs to further *reduce* their
privileges, which they can't currently do in this case.)
> - Have you looked to see if anything might for bug compatibilty
> require applications not to be able to drop supplementary groups?
I haven't found any such case; that doesn't mean such a case does not
exist. Feedback welcome.
The only case I can think of (and I don't know of any examples of such a
system): some kind of quota system that limits the members of a group to
a certain amount of storage, but places no such limit on non-members.
However, the idea of *holding* a credential (a supplementary group ID)
giving *less* privileges, and *dropping* a credential giving *more*
privileges, would completely invert normal security models. (The sane
way to design such a system would be to have a privileged group for
"users who can exceed the quota".)
If it turns out that a real case exists that people care about, I could
easily make this configurable, either at compile time or via a sysctl.
- Josh Triplett
next prev parent reply other threads:[~2014-11-15 19:29 UTC|newest]
Thread overview: 73+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-11-15 9:00 [PATCH 1/2] groups: Factor out a function to set a pre-sorted group list Josh Triplett
2014-11-15 9:00 ` Josh Triplett
2014-11-15 9:01 ` [PATCH 2/2] groups: Allow unprivileged processes to use setgroups to drop groups Josh Triplett
[not found] ` <0895c1f268bc0b01cc6c8ed4607d7c3953f49728.1416041823.git.josh-iaAMLnmF4UmaiuxdJuQwMA@public.gmane.org>
2014-11-15 15:37 ` Eric W. Biederman
2014-11-15 15:37 ` Eric W. Biederman
[not found] ` <87d28osceg.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-11-15 19:29 ` Josh Triplett [this message]
2014-11-15 19:29 ` Josh Triplett
2014-11-15 20:06 ` Andy Lutomirski
2014-11-15 20:06 ` Andy Lutomirski
[not found] ` <CALCETrUM=GqsOumTmDMF4B5GS1w=x56t41eE-2xW1bBOfUz02w-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-11-15 20:20 ` Josh Triplett
2014-11-15 20:20 ` Josh Triplett
2014-11-16 2:05 ` Theodore Ts'o
2014-11-16 2:05 ` Theodore Ts'o
[not found] ` <20141116020511.GB5507-AKGzg7BKzIDYtjvyW6yDsg@public.gmane.org>
2014-11-16 2:35 ` Josh Triplett
2014-11-16 2:35 ` Josh Triplett
[not found] ` <6C690A2C-8EB1-421A-94C3-9803AFB95760-iaAMLnmF4UmaiuxdJuQwMA@public.gmane.org>
2014-11-16 3:08 ` Eric W. Biederman
2014-11-16 3:08 ` Eric W. Biederman
[not found] ` <87vbmfq1uw.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-11-16 5:07 ` Josh Triplett
2014-11-16 5:07 ` Josh Triplett
2014-11-16 13:32 ` Theodore Ts'o
2014-11-16 13:32 ` Theodore Ts'o
[not found] ` <20141116133230.GA32030-AKGzg7BKzIDYtjvyW6yDsg@public.gmane.org>
2014-11-16 15:42 ` Andy Lutomirski
2014-11-16 15:42 ` Andy Lutomirski
[not found] ` <CALCETrUPsH_So2Mgk38Fe_pjp5Y+cgjzCUe7fzFcnsFzivHeNA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-11-16 19:12 ` Josh Triplett
2014-11-16 19:12 ` Josh Triplett
2014-11-16 19:09 ` Josh Triplett
2014-11-16 19:09 ` Josh Triplett
2014-11-16 3:40 ` Theodore Ts'o
2014-11-16 3:40 ` Theodore Ts'o
[not found] ` <20141116034005.GC5507-AKGzg7BKzIDYtjvyW6yDsg@public.gmane.org>
2014-11-16 4:52 ` Josh Triplett
2014-11-16 4:52 ` Josh Triplett
2014-11-17 11:37 ` One Thousand Gnomes
2014-11-17 11:37 ` One Thousand Gnomes
[not found] ` <20141117113734.396798e6-qBU/x9rampVanCEyBjwyrvXRex20P6io@public.gmane.org>
2014-11-17 18:07 ` Andy Lutomirski
2014-11-17 18:07 ` Andy Lutomirski
[not found] ` <CALCETrXi1qHyu4_U7cbROB74n461nBZ9R7=0kfhR8-VFAwOF1w-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-11-17 22:11 ` Eric W.Biederman
2014-11-17 22:11 ` Eric W.Biederman
[not found] ` <0b65fd07-48ea-483b-8fd5-fd84d0bff881-2ueSQiBKiTY7tOexoI0I+QC/G2K4zDHf@public.gmane.org>
2014-11-17 22:22 ` Andy Lutomirski
2014-11-17 22:22 ` Andy Lutomirski
[not found] ` <CALCETrWXC5dMOXTTBOiq4Cv+yjqbA_UdmAN-TDmNAJUo+ABxtg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-11-17 22:37 ` josh-iaAMLnmF4UmaiuxdJuQwMA
2014-11-17 22:37 ` josh
2014-11-18 0:56 ` Casey Schaufler
2014-11-17 18:06 ` Casey Schaufler
[not found] ` <546A3942.5040906-iSGtlc1asvQWG2LlvL+J4A@public.gmane.org>
2014-11-17 18:31 ` Andy Lutomirski
2014-11-17 18:31 ` Andy Lutomirski
2014-11-17 18:46 ` Andy Lutomirski
2014-11-17 18:51 ` Casey Schaufler
[not found] ` <546A43CE.2030706-iSGtlc1asvQWG2LlvL+J4A@public.gmane.org>
2014-11-27 16:59 ` [CFT][PATCH] userns: Avoid problems with negative groups Eric W. Biederman
2014-11-27 16:59 ` Eric W. Biederman
[not found] ` <87lhmwwpey.fsf_-_-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-11-27 20:52 ` Andy Lutomirski
2014-11-27 20:52 ` Andy Lutomirski
2014-11-27 20:52 ` Andy Lutomirski
[not found] ` <CALCETrUuWDq2akKfb50AiPHeDDWzPW7ijz1QwnuNiskyZbBEfA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-11-28 5:21 ` Eric W. Biederman
2014-11-28 5:21 ` Eric W. Biederman
2014-11-28 5:21 ` Eric W. Biederman
[not found] ` <87wq6frjcw.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-11-28 5:22 ` [CFT][PATCH v2] " Eric W. Biederman
2014-11-28 5:22 ` Eric W. Biederman
2014-11-28 15:11 ` [CFT][PATCH] " Andy Lutomirski
2014-11-28 15:11 ` Andy Lutomirski
2014-11-28 15:11 ` Andy Lutomirski
[not found] ` <CALCETrX2s-7iaLMEKLQsExTEp3JyoAPQG44p0v5wkeED3-6dQA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-11-28 16:34 ` Eric W. Biederman
2014-11-28 16:34 ` Eric W. Biederman
[not found] ` <874mtjp9m1.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-11-28 17:11 ` Andy Lutomirski
2014-11-28 17:11 ` Andy Lutomirski
2014-11-28 16:34 ` Eric W. Biederman
[not found] ` <CALCETrVn4gVXp7F=5h-bkN5VWuRMG9BoxgeQfKhX4+ZXxGE=wQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-11-17 22:41 ` [PATCH 2/2] groups: Allow unprivileged processes to use setgroups to drop groups Eric W.Biederman
2014-11-17 22:41 ` Eric W.Biederman
[not found] ` <9f43a787-165e-4256-a097-f7691204d9d6-2ueSQiBKiTY7tOexoI0I+QC/G2K4zDHf@public.gmane.org>
2014-11-17 22:50 ` Andy Lutomirski
2014-11-17 22:50 ` Andy Lutomirski
[not found] ` <CALCETrU2tXM5sKx=L-K6=ARkvqefkcZHW3_RGhsgfc31FuWxJg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-11-17 23:13 ` josh-iaAMLnmF4UmaiuxdJuQwMA
2014-11-17 23:13 ` josh
[not found] ` <3ccec8a13019b5e8ce7b1d7889677b778b070dc8.1416041823.git.josh-iaAMLnmF4UmaiuxdJuQwMA@public.gmane.org>
2014-11-15 9:01 ` [PATCH manpages] getgroups.2: Document unprivileged setgroups calls Josh Triplett
2014-11-15 9:01 ` Josh Triplett
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20141115192924.GB19060@thin \
--to=josh-iaamlnmf4umaiuxdjuqwma@public.gmane.org \
--cc=akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org \
--cc=ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org \
--cc=keescook-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org \
--cc=linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-man-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=mtk.manpages-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.