From: Josh Triplett <josh-iaAMLnmF4UmaiuxdJuQwMA@public.gmane.org>
To: Andy Lutomirski <luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org>
Cc: "Eric W. Biederman"
<ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>,
Andrew Morton
<akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org>,
Kees Cook <keescook-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>,
Michael Kerrisk-manpages
<mtk.manpages-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>,
Linux API <linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
linux-man <linux-man-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
"linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org"
<linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>
Subject: Re: [PATCH 2/2] groups: Allow unprivileged processes to use setgroups to drop groups
Date: Sat, 15 Nov 2014 12:20:42 -0800 [thread overview]
Message-ID: <20141115202042.GA20900@thin> (raw)
In-Reply-To: <CALCETrUM=GqsOumTmDMF4B5GS1w=x56t41eE-2xW1bBOfUz02w-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
On Sat, Nov 15, 2014 at 12:06:20PM -0800, Andy Lutomirski wrote:
> On Sat, Nov 15, 2014 at 11:29 AM, Josh Triplett <josh-iaAMLnmF4UmaiuxdJuQwMA@public.gmane.org> wrote:
> > On Sat, Nov 15, 2014 at 09:37:27AM -0600, Eric W. Biederman wrote:
> >> Josh Triplett <josh-iaAMLnmF4UmaiuxdJuQwMA@public.gmane.org> writes:
> >>
> >> > Currently, unprivileged processes (without CAP_SETGID) cannot call
> >> > setgroups at all. In particular, processes with a set of supplementary
> >> > groups cannot further drop permissions without obtaining elevated
> >> > permissions first.
> >> >
> >> > Allow unprivileged processes to call setgroups with a subset of their
> >> > current groups; only require CAP_SETGID to add a group the process does
> >> > not currently have.
> >>
> >> A couple of questions.
> >> - Is there precedence in other unix flavors for this?
> >
> > I found a few references to now-nonexistent pages at MIT about a system
> > with this property, but other than that no.
> >
> > I've also found more than a few references to people wanting this
> > functionality.
> >
> >> - What motiviates this change?
> >
> > I have a series of patches planned to add more ways to drop elevated
> > privileges without requiring a transition through root to do so. That
> > would improve the ability for unprivileged users to run programs
> > sandboxed with even *less* privileges. (Among other things, that would
> > also allow programs running with no_new_privs to further *reduce* their
> > privileges, which they can't currently do in this case.)
> >
> >> - Have you looked to see if anything might for bug compatibilty
> >> require applications not to be able to drop supplementary groups?
> >
> > I haven't found any such case; that doesn't mean such a case does not
> > exist. Feedback welcome.
> >
> > The only case I can think of (and I don't know of any examples of such a
> > system): some kind of quota system that limits the members of a group to
> > a certain amount of storage, but places no such limit on non-members.
> >
> > However, the idea of *holding* a credential (a supplementary group ID)
> > giving *less* privileges, and *dropping* a credential giving *more*
> > privileges, would completely invert normal security models. (The sane
> > way to design such a system would be to have a privileged group for
> > "users who can exceed the quota".)
>
> Agreed. And, if you want to bypass quotas by dropping a supplementary
> group, you already can by unsharing your user namespace.
Good point! Given that a process can run with a new user namespace and
no other namespaces, and then drop all its other privileges that way,
the ability to drop privileges without using a user namespace seems
completely harmless, with one exception that you noted:
> However, sudoers seems to allow negative group matches. So maybe
> allowing this only with no_new_privs already set would make sense.
Sigh, bad sudo. Sure, restricting this to no_new_privs only seems fine.
I'll do that in v2, and document that in the manpage.
- Josh Triplett
WARNING: multiple messages have this Message-ID (diff)
From: Josh Triplett <josh@joshtriplett.org>
To: Andy Lutomirski <luto@amacapital.net>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>,
Andrew Morton <akpm@linux-foundation.org>,
Kees Cook <keescook@chromium.org>,
Michael Kerrisk-manpages <mtk.manpages@gmail.com>,
Linux API <linux-api@vger.kernel.org>,
linux-man <linux-man@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH 2/2] groups: Allow unprivileged processes to use setgroups to drop groups
Date: Sat, 15 Nov 2014 12:20:42 -0800 [thread overview]
Message-ID: <20141115202042.GA20900@thin> (raw)
In-Reply-To: <CALCETrUM=GqsOumTmDMF4B5GS1w=x56t41eE-2xW1bBOfUz02w@mail.gmail.com>
On Sat, Nov 15, 2014 at 12:06:20PM -0800, Andy Lutomirski wrote:
> On Sat, Nov 15, 2014 at 11:29 AM, Josh Triplett <josh@joshtriplett.org> wrote:
> > On Sat, Nov 15, 2014 at 09:37:27AM -0600, Eric W. Biederman wrote:
> >> Josh Triplett <josh@joshtriplett.org> writes:
> >>
> >> > Currently, unprivileged processes (without CAP_SETGID) cannot call
> >> > setgroups at all. In particular, processes with a set of supplementary
> >> > groups cannot further drop permissions without obtaining elevated
> >> > permissions first.
> >> >
> >> > Allow unprivileged processes to call setgroups with a subset of their
> >> > current groups; only require CAP_SETGID to add a group the process does
> >> > not currently have.
> >>
> >> A couple of questions.
> >> - Is there precedence in other unix flavors for this?
> >
> > I found a few references to now-nonexistent pages at MIT about a system
> > with this property, but other than that no.
> >
> > I've also found more than a few references to people wanting this
> > functionality.
> >
> >> - What motiviates this change?
> >
> > I have a series of patches planned to add more ways to drop elevated
> > privileges without requiring a transition through root to do so. That
> > would improve the ability for unprivileged users to run programs
> > sandboxed with even *less* privileges. (Among other things, that would
> > also allow programs running with no_new_privs to further *reduce* their
> > privileges, which they can't currently do in this case.)
> >
> >> - Have you looked to see if anything might for bug compatibilty
> >> require applications not to be able to drop supplementary groups?
> >
> > I haven't found any such case; that doesn't mean such a case does not
> > exist. Feedback welcome.
> >
> > The only case I can think of (and I don't know of any examples of such a
> > system): some kind of quota system that limits the members of a group to
> > a certain amount of storage, but places no such limit on non-members.
> >
> > However, the idea of *holding* a credential (a supplementary group ID)
> > giving *less* privileges, and *dropping* a credential giving *more*
> > privileges, would completely invert normal security models. (The sane
> > way to design such a system would be to have a privileged group for
> > "users who can exceed the quota".)
>
> Agreed. And, if you want to bypass quotas by dropping a supplementary
> group, you already can by unsharing your user namespace.
Good point! Given that a process can run with a new user namespace and
no other namespaces, and then drop all its other privileges that way,
the ability to drop privileges without using a user namespace seems
completely harmless, with one exception that you noted:
> However, sudoers seems to allow negative group matches. So maybe
> allowing this only with no_new_privs already set would make sense.
Sigh, bad sudo. Sure, restricting this to no_new_privs only seems fine.
I'll do that in v2, and document that in the manpage.
- Josh Triplett
next prev parent reply other threads:[~2014-11-15 20:20 UTC|newest]
Thread overview: 73+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-11-15 9:00 [PATCH 1/2] groups: Factor out a function to set a pre-sorted group list Josh Triplett
2014-11-15 9:00 ` Josh Triplett
2014-11-15 9:01 ` [PATCH 2/2] groups: Allow unprivileged processes to use setgroups to drop groups Josh Triplett
[not found] ` <0895c1f268bc0b01cc6c8ed4607d7c3953f49728.1416041823.git.josh-iaAMLnmF4UmaiuxdJuQwMA@public.gmane.org>
2014-11-15 15:37 ` Eric W. Biederman
2014-11-15 15:37 ` Eric W. Biederman
[not found] ` <87d28osceg.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-11-15 19:29 ` Josh Triplett
2014-11-15 19:29 ` Josh Triplett
2014-11-15 20:06 ` Andy Lutomirski
2014-11-15 20:06 ` Andy Lutomirski
[not found] ` <CALCETrUM=GqsOumTmDMF4B5GS1w=x56t41eE-2xW1bBOfUz02w-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-11-15 20:20 ` Josh Triplett [this message]
2014-11-15 20:20 ` Josh Triplett
2014-11-16 2:05 ` Theodore Ts'o
2014-11-16 2:05 ` Theodore Ts'o
[not found] ` <20141116020511.GB5507-AKGzg7BKzIDYtjvyW6yDsg@public.gmane.org>
2014-11-16 2:35 ` Josh Triplett
2014-11-16 2:35 ` Josh Triplett
[not found] ` <6C690A2C-8EB1-421A-94C3-9803AFB95760-iaAMLnmF4UmaiuxdJuQwMA@public.gmane.org>
2014-11-16 3:08 ` Eric W. Biederman
2014-11-16 3:08 ` Eric W. Biederman
[not found] ` <87vbmfq1uw.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-11-16 5:07 ` Josh Triplett
2014-11-16 5:07 ` Josh Triplett
2014-11-16 13:32 ` Theodore Ts'o
2014-11-16 13:32 ` Theodore Ts'o
[not found] ` <20141116133230.GA32030-AKGzg7BKzIDYtjvyW6yDsg@public.gmane.org>
2014-11-16 15:42 ` Andy Lutomirski
2014-11-16 15:42 ` Andy Lutomirski
[not found] ` <CALCETrUPsH_So2Mgk38Fe_pjp5Y+cgjzCUe7fzFcnsFzivHeNA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-11-16 19:12 ` Josh Triplett
2014-11-16 19:12 ` Josh Triplett
2014-11-16 19:09 ` Josh Triplett
2014-11-16 19:09 ` Josh Triplett
2014-11-16 3:40 ` Theodore Ts'o
2014-11-16 3:40 ` Theodore Ts'o
[not found] ` <20141116034005.GC5507-AKGzg7BKzIDYtjvyW6yDsg@public.gmane.org>
2014-11-16 4:52 ` Josh Triplett
2014-11-16 4:52 ` Josh Triplett
2014-11-17 11:37 ` One Thousand Gnomes
2014-11-17 11:37 ` One Thousand Gnomes
[not found] ` <20141117113734.396798e6-qBU/x9rampVanCEyBjwyrvXRex20P6io@public.gmane.org>
2014-11-17 18:07 ` Andy Lutomirski
2014-11-17 18:07 ` Andy Lutomirski
[not found] ` <CALCETrXi1qHyu4_U7cbROB74n461nBZ9R7=0kfhR8-VFAwOF1w-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-11-17 22:11 ` Eric W.Biederman
2014-11-17 22:11 ` Eric W.Biederman
[not found] ` <0b65fd07-48ea-483b-8fd5-fd84d0bff881-2ueSQiBKiTY7tOexoI0I+QC/G2K4zDHf@public.gmane.org>
2014-11-17 22:22 ` Andy Lutomirski
2014-11-17 22:22 ` Andy Lutomirski
[not found] ` <CALCETrWXC5dMOXTTBOiq4Cv+yjqbA_UdmAN-TDmNAJUo+ABxtg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-11-17 22:37 ` josh-iaAMLnmF4UmaiuxdJuQwMA
2014-11-17 22:37 ` josh
2014-11-18 0:56 ` Casey Schaufler
2014-11-17 18:06 ` Casey Schaufler
[not found] ` <546A3942.5040906-iSGtlc1asvQWG2LlvL+J4A@public.gmane.org>
2014-11-17 18:31 ` Andy Lutomirski
2014-11-17 18:31 ` Andy Lutomirski
2014-11-17 18:46 ` Andy Lutomirski
2014-11-17 18:51 ` Casey Schaufler
[not found] ` <546A43CE.2030706-iSGtlc1asvQWG2LlvL+J4A@public.gmane.org>
2014-11-27 16:59 ` [CFT][PATCH] userns: Avoid problems with negative groups Eric W. Biederman
2014-11-27 16:59 ` Eric W. Biederman
[not found] ` <87lhmwwpey.fsf_-_-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-11-27 20:52 ` Andy Lutomirski
2014-11-27 20:52 ` Andy Lutomirski
[not found] ` <CALCETrUuWDq2akKfb50AiPHeDDWzPW7ijz1QwnuNiskyZbBEfA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-11-28 5:21 ` Eric W. Biederman
2014-11-28 5:21 ` Eric W. Biederman
2014-11-28 5:21 ` Eric W. Biederman
[not found] ` <87wq6frjcw.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-11-28 5:22 ` [CFT][PATCH v2] " Eric W. Biederman
2014-11-28 5:22 ` Eric W. Biederman
2014-11-28 15:11 ` [CFT][PATCH] " Andy Lutomirski
2014-11-28 15:11 ` Andy Lutomirski
[not found] ` <CALCETrX2s-7iaLMEKLQsExTEp3JyoAPQG44p0v5wkeED3-6dQA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-11-28 16:34 ` Eric W. Biederman
2014-11-28 16:34 ` Eric W. Biederman
[not found] ` <874mtjp9m1.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-11-28 17:11 ` Andy Lutomirski
2014-11-28 17:11 ` Andy Lutomirski
2014-11-28 16:34 ` Eric W. Biederman
2014-11-28 15:11 ` Andy Lutomirski
2014-11-27 20:52 ` Andy Lutomirski
[not found] ` <CALCETrVn4gVXp7F=5h-bkN5VWuRMG9BoxgeQfKhX4+ZXxGE=wQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-11-17 22:41 ` [PATCH 2/2] groups: Allow unprivileged processes to use setgroups to drop groups Eric W.Biederman
2014-11-17 22:41 ` Eric W.Biederman
[not found] ` <9f43a787-165e-4256-a097-f7691204d9d6-2ueSQiBKiTY7tOexoI0I+QC/G2K4zDHf@public.gmane.org>
2014-11-17 22:50 ` Andy Lutomirski
2014-11-17 22:50 ` Andy Lutomirski
[not found] ` <CALCETrU2tXM5sKx=L-K6=ARkvqefkcZHW3_RGhsgfc31FuWxJg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-11-17 23:13 ` josh-iaAMLnmF4UmaiuxdJuQwMA
2014-11-17 23:13 ` josh
[not found] ` <3ccec8a13019b5e8ce7b1d7889677b778b070dc8.1416041823.git.josh-iaAMLnmF4UmaiuxdJuQwMA@public.gmane.org>
2014-11-15 9:01 ` [PATCH manpages] getgroups.2: Document unprivileged setgroups calls Josh Triplett
2014-11-15 9:01 ` Josh Triplett
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20141115202042.GA20900@thin \
--to=josh-iaamlnmf4umaiuxdjuqwma@public.gmane.org \
--cc=akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org \
--cc=ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org \
--cc=keescook-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org \
--cc=linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-man-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org \
--cc=mtk.manpages-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.