* ptrace versus setuid changes in 4.14? @ 2017-12-21 14:18 Tom Horsley 2017-12-22 20:28 ` Laura Abbott 0 siblings, 1 reply; 4+ messages in thread From: Tom Horsley @ 2017-12-21 14:18 UTC (permalink / raw) To: linux-kernel On my fedora 26 box with a 4.13 kernel, when a process under ptrace control did an exec of a setuid program, the program lost all of its setuid privileges and ptrace could operate on it like a normal program. Experimental evidence seems to indicate that on fedora 27 with a 4.14 kernel, ptrace cannot do a PEEKDATA to read anything from the just execed setuid program. (I get errno 5 - I/O error). Am I confused somehow, or did something really change in this vicinity? It puts a real crimp in my fancy debug feature to patch code into a setuid program to make it re-exec itself, then detach from it. (I don't suppose we could get a setoptions feature to tell the kernel to detach from setuid programs automagically and let the debugger know it is no longer in control of the process?) ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: ptrace versus setuid changes in 4.14? 2017-12-21 14:18 ptrace versus setuid changes in 4.14? Tom Horsley @ 2017-12-22 20:28 ` Laura Abbott 2017-12-22 20:55 ` Tom Horsley 0 siblings, 1 reply; 4+ messages in thread From: Laura Abbott @ 2017-12-22 20:28 UTC (permalink / raw) To: Tom Horsley, linux-kernel, Kees Cook Cc: David Howells, Serge Hallyn, James Morris On 12/21/2017 06:18 AM, Tom Horsley wrote: > On my fedora 26 box with a 4.13 kernel, when a process > under ptrace control did an exec of a setuid program, > the program lost all of its setuid privileges and > ptrace could operate on it like a normal program. > > Experimental evidence seems to indicate that on > fedora 27 with a 4.14 kernel, ptrace cannot > do a PEEKDATA to read anything from the just > execed setuid program. (I get errno 5 - I/O error). > > Am I confused somehow, or did something really change > in this vicinity? > > It puts a real crimp in my fancy debug feature to > patch code into a setuid program to make it re-exec itself, > then detach from it. (I don't suppose we could get > a setoptions feature to tell the kernel to detach > from setuid programs automagically and let the debugger > know it is no longer in control of the process?) > Assuming this is https://bugzilla.redhat.com/show_bug.cgi?id=1528633 This is yet another victim of commit e37fdb785a5f95ecadf43b773c97f676500ac7b8 (refs/bisect/bad) Author: Kees Cook <keescook@chromium.org> Date: Tue Jul 18 15:25:31 2017 -0700 exec: Use secureexec for setting dumpability The examination of "current" to decide dumpability is wrong. This was a check of and euid/uid (or egid/gid) mismatch in the existing process, not the newly created one. This appears to stretch back into even the "history.git" tree. Luckily, dumpability is later set in commit_creds(). In earlier kernel versions before creds existed, similar checks also existed late in the exec flow, covering up the mistake as far back as I could find. Note that because the commit_creds() check examines differences of euid, uid, egid, gid, and capabilities between the old and new creds, it would look like the setup_new_exec() dumpability test could be entirely removed. However, the secureexec test may cover a different set of tests (specific to the LSMs) than what commit_creds() checks for. So, fix this test to use secureexec (the removed euid tests are redundant to the commoncap secureexec checks now). Cc: David Howells <dhowells@redhat.com> Signed-off-by: Kees Cook <keescook@chromium.org> Acked-by: Serge Hallyn <serge@hallyn.com> Reviewed-by: James Morris <james.l.morris@oracle.com> Is it time to think about reverting? Thanks, Laura ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: ptrace versus setuid changes in 4.14? 2017-12-22 20:28 ` Laura Abbott @ 2017-12-22 20:55 ` Tom Horsley 2017-12-22 23:14 ` Kees Cook 0 siblings, 1 reply; 4+ messages in thread From: Tom Horsley @ 2017-12-22 20:55 UTC (permalink / raw) To: Laura Abbott Cc: linux-kernel, Kees Cook, David Howells, Serge Hallyn, James Morris On Fri, 22 Dec 2017 12:28:25 -0800 Laura Abbott wrote: > Assuming this is https://bugzilla.redhat.com/show_bug.cgi?id=1528633 > This is yet another victim of > > commit e37fdb785a5f95ecadf43b773c97f676500ac7b8 (refs/bisect/bad) > Author: Kees Cook <keescook@chromium.org> > Date: Tue Jul 18 15:25:31 2017 -0700 > > exec: Use secureexec for setting dumpability You mean there is hope this really is a bug and not a security enhancement? Amazing :-). And yes, that is the bugzilla I submitted after I reduced things to a small test program. ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: ptrace versus setuid changes in 4.14? 2017-12-22 20:55 ` Tom Horsley @ 2017-12-22 23:14 ` Kees Cook 0 siblings, 0 replies; 4+ messages in thread From: Kees Cook @ 2017-12-22 23:14 UTC (permalink / raw) To: Tom Horsley; +Cc: Laura Abbott, LKML, David Howells, Serge Hallyn, James Morris On Fri, Dec 22, 2017 at 12:55 PM, Tom Horsley <horsley1953@gmail.com> wrote: > On Fri, 22 Dec 2017 12:28:25 -0800 > Laura Abbott wrote: > >> Assuming this is https://bugzilla.redhat.com/show_bug.cgi?id=1528633 >> This is yet another victim of >> >> commit e37fdb785a5f95ecadf43b773c97f676500ac7b8 (refs/bisect/bad) >> Author: Kees Cook <keescook@chromium.org> >> Date: Tue Jul 18 15:25:31 2017 -0700 >> >> exec: Use secureexec for setting dumpability > > You mean there is hope this really is a bug and not a security > enhancement? Amazing :-). > > And yes, that is the bugzilla I submitted after I reduced > things to a small test program. I think the secureexec dumpability logic just needs to be removed -- the logic in commit_creds() _should_ be sufficient, but I want to double-check it now that I've got some more tests cases. -Kees -- Kees Cook Pixel Security ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2017-12-22 23:14 UTC | newest] Thread overview: 4+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2017-12-21 14:18 ptrace versus setuid changes in 4.14? Tom Horsley 2017-12-22 20:28 ` Laura Abbott 2017-12-22 20:55 ` Tom Horsley 2017-12-22 23:14 ` Kees Cook
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.