Re: [PATCH v2] exec: Correct the permission check for unsafe exec

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Kees Cook <kees@kernel.org>
To: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Jann Horn <jannh@google.com>,
	Max Kellermann <max.kellermann@ionos.com>,
	"Serge E. Hallyn" <serge@hallyn.com>,
	paul@paul-moore.com, jmorris@namei.org,
	Andy Lutomirski <luto@kernel.org>,
	morgan@kernel.org, Christian Brauner <christian@brauner.io>,
	linux-security-module@vger.kernel.org,
	linux-kernel@vger.kernel.org
Subject: Re: [PATCH v2] exec: Correct the permission check for unsafe exec
Date: Tue, 20 May 2025 15:35:03 -0700	[thread overview]
Message-ID: <202505201533.CEB79A19FF@keescook> (raw)
In-Reply-To: <87frgznd74.fsf_-_@email.froward.int.ebiederm.org>

On Tue, May 20, 2025 at 05:13:03PM -0500, Eric W. Biederman wrote:
> Max Kellerman recently experienced a problem[1] when calling exec with
> differing uid and euid's and he triggered the logic that is supposed
> to only handle setuid executables.

Max, can you verify this patch solves your use case?

> [...]
> To minimize behavioural changes the code continues to set secureexec
> when euid != uid or when egid != gid.
> [...]
> @@ -993,7 +987,9 @@ int cap_bprm_creds_from_file(struct linux_binprm *bprm, const struct file *file)
>  		return -EPERM;
>  
>  	/* Check for privilege-elevated exec. */
> -	if (is_setid ||
> +	if (id_changed ||
> +	    !uid_eq(new->euid, old->uid) ||
> +	    !gid_eq(new->egid, old->gid) ||
>  	    (!__is_real(root_uid, new) &&
>  	     (effective ||
>  	      __cap_grew(permitted, ambient, new))))

Great! Thanks for the secureexec tweak here. Jann, does this look
reasonable to you?

-Kees

-- 
Kees Cook

next prev parent reply	other threads:[~2025-05-20 22:35 UTC|newest]

Thread overview: 43+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-03-06  8:26 [PATCH] security/commoncap: don't assume "setid" if all ids are identical Max Kellermann
2025-03-07 10:32 ` kernel test robot
2025-03-09 15:19 ` Serge E. Hallyn
2025-04-28 11:43   ` Max Kellermann
2025-05-06 13:21     ` Serge E. Hallyn
2025-05-06 14:51       ` Max Kellermann
2025-05-07  3:16         ` Andrew G. Morgan
2025-05-07  6:33           ` Max Kellermann
2025-05-08  3:32             ` Andrew G. Morgan
2025-05-08  6:38               ` Max Kellermann
2025-05-08  8:37               ` Max Kellermann
2025-05-09 17:50             ` Max Kellermann
2025-05-08 22:12         ` sergeh
2025-05-09  6:15           ` Max Kellermann
2025-05-09 14:44             ` Eric W. Biederman
2025-05-09 16:53               ` Max Kellermann
2025-05-09 20:17                 ` Serge E. Hallyn
2025-05-09 18:41               ` [PATCH] Documentation/no_new_privs.rst: document dropping effective ids Max Kellermann
2025-05-15 16:24 ` [PATCH] exec: Correct the permission check for unsafe exec Eric W. Biederman
2025-05-15 22:09   ` Kees Cook
2025-05-16 15:26     ` Eric W. Biederman
2025-05-16 18:06       ` Jann Horn
2025-05-16 18:08         ` Jann Horn
2025-05-16 21:46         ` sergeh
2025-05-20 22:38           ` Jann Horn
2025-05-20 22:43             ` Kees Cook
2025-05-16 23:29         ` Eric W. Biederman
2025-05-20 20:20           ` Kees Cook
2025-05-20 22:13             ` [PATCH v2] " Eric W. Biederman
2025-05-20 22:35               ` Kees Cook [this message]
2025-05-20 23:53               ` Jann Horn
2025-05-21 15:27                 ` Eric W. Biederman
2025-05-21 15:36                   ` Jann Horn
2025-06-11  0:18                     ` Paul Moore
2025-06-11 14:23                       ` Max Kellermann
2025-06-13 15:07                         ` Eric W. Biederman
2025-06-12 21:26                       ` Serge E. Hallyn
2025-06-13  1:48                         ` Kees Cook
2025-06-13 15:28                           ` Paul Moore
2025-06-16 19:57                             ` Kees Cook
2025-06-16 20:16                               ` Paul Moore
2025-05-16 21:48     ` [PATCH] " sergeh
2025-05-16 21:49   ` sergeh

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=202505201533.CEB79A19FF@keescook \
    --to=kees@kernel.org \
    --cc=christian@brauner.io \
    --cc=ebiederm@xmission.com \
    --cc=jannh@google.com \
    --cc=jmorris@namei.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=luto@kernel.org \
    --cc=max.kellermann@ionos.com \
    --cc=morgan@kernel.org \
    --cc=paul@paul-moore.com \
    --cc=serge@hallyn.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.