From: Peter Williams <pwil3058@bigpond.net.au>
To: Alan Cox <alan@lxorguk.ukuu.org.uk>
Cc: Solar Designer <solar@openwall.com>,
Willy Tarreau <wtarreau@hera.kernel.org>,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH] set*uid() must not fail-and-return on OOM/rlimits
Date: Mon, 21 Aug 2006 10:23:35 +1000 [thread overview]
Message-ID: <44E8FD07.1010104@bigpond.net.au> (raw)
In-Reply-To: <1156114275.4051.71.camel@localhost.localdomain>
Alan Cox wrote:
> Ar Llu, 2006-08-21 am 02:12 +0400, ysgrifennodd Solar Designer:
>> Are you referring to killing of processes on OOM? That was in Linux
>> already, this patch does not introduce it.
>
> (pedantic) Only if you have overcommit disabled.
>
>> As it relates to setuid() in particular, POSIX.1-2001 says:
>>
>> The setuid() function shall fail, return -1, and set errno to the
>> corresponding value if one or more of the following are true:
>>
>> [EINVAL]
>> The value of the uid argument is invalid and not supported by
>> the implementation.
>> [EPERM] The process does not have appropriate privileges and uid does
>> not match the real user ID or the saved set-user-ID.
>>
>> No other error conditions are defined.
>
>> I'd say that the behavior of returning EAGAIN is non-compliant.
>
> You are allowed to return other errors. What you must not do is return a
> different error for the description described in the text as I
> understand it.
>
>> But the kills are needed. They are more correct and safer than
>> returning EAGAIN. An alternative would be to not allocate memory on
>> set*uid() at all - like we did not in older kernels - but that would
>> be an inappropriate behavior change for 2.4.
>
> It is certainly an awkward case to get right when setuid code is not
> being audited but I still think you are chasing the symptom, and its not
> symptom of crap code, so you are not likely to "fix" security. A lot of
> BSD code for example doesn't check malloc returns but you don't want an
> auto-kill if mmap fails ?
>
> The kill has the advantage that it stops the situation but it may also
> be that you kill a program which can handle the case and you create a
> new DoS attack (eg against a daemon switching to your uid). The current
> situation is not good, the updated situation could be far worse.
>
> The message is important, we want to know it happened in the memory
> shortage case anyway.
How about going ahead with the uid change (if the current user is root)
BUT still return -EAGAIN. That way programs that ignore the return
value will at least no longer have root privileges.
Peter
--
Peter Williams pwil3058@bigpond.net.au
"Learning, n. The kind of ignorance distinguishing the studious."
-- Ambrose Bierce
next prev parent reply other threads:[~2006-08-21 0:23 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-08-20 0:38 [PATCH] set*uid() must not fail-and-return on OOM/rlimits Solar Designer
2006-08-20 7:52 ` Kari Hurtta
2006-08-20 18:10 ` Alan Cox
2006-08-21 5:05 ` Kari Hurtta
2006-08-20 8:26 ` Willy Tarreau
2006-08-20 15:25 ` Solar Designer
2006-08-20 10:07 ` Alex Riesen
2006-08-20 15:30 ` Solar Designer
2006-08-20 15:53 ` Arjan van de Ven
2006-08-20 16:17 ` Willy Tarreau
2006-08-20 16:28 ` Ulrich Drepper
2006-08-20 16:45 ` Arjan van de Ven
2006-08-20 16:47 ` Michael Buesch
2006-08-20 16:48 ` Solar Designer
2006-08-20 18:03 ` Alan Cox
2006-08-20 18:10 ` Willy Tarreau
2006-08-20 18:36 ` Alan Cox
2006-08-20 18:21 ` Willy Tarreau
2006-08-20 18:52 ` Alan Cox
2006-08-20 19:01 ` Willy Tarreau
2006-08-20 19:33 ` Alan Cox
2006-08-20 19:17 ` Willy Tarreau
2006-08-20 16:04 ` Florian Weimer
2006-08-20 16:25 ` Solar Designer
2006-08-20 18:14 ` Alan Cox
2006-08-20 22:12 ` Solar Designer
2006-08-20 22:51 ` Alan Cox
2006-08-20 22:58 ` Solar Designer
2006-08-20 23:00 ` Alan Cox
2006-08-21 0:23 ` Peter Williams [this message]
2006-08-21 0:45 ` Solar Designer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=44E8FD07.1010104@bigpond.net.au \
--to=pwil3058@bigpond.net.au \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=linux-kernel@vger.kernel.org \
--cc=solar@openwall.com \
--cc=wtarreau@hera.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.