From: ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org (Eric W. Biederman)
To: Aleksa Sarai <asarai-l3A5Bk7waGM@public.gmane.org>
Cc: linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
Kees Cook <keescook-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>,
Roland McGrath <roland-/Z5OmTQCD9xF6kxbq+BtvQ@public.gmane.org>,
linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
Linux Containers
<containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org>,
Oleg Nesterov <oleg-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>,
David Howells <dhowells-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>,
Al Viro <viro-3bDd1+5oDREiFSDQTTA3OLVCufUGDwFn@public.gmane.org>,
Thomas Gleixner <tglx-hfZtesqFncYOwBW4kG4KsQ@public.gmane.org>,
Linus Torvalds
<torvalds-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org>,
Ingo Molnar <mingo-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>,
"Michael Kerrisk (man-pages)"
<mtk.manpages-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
Subject: Re: [PATCH 00/26] Fixing wait, exit, ptrace, exec, and CLONE_THREAD
Date: Wed, 07 Jun 2017 06:36:48 -0500 [thread overview]
Message-ID: <87ink8vxkf.fsf@xmission.com> (raw)
In-Reply-To: <dd16b1bb-e99e-69f2-72f4-1be4cb24d18d-l3A5Bk7waGM@public.gmane.org> (Aleksa Sarai's message of "Wed, 7 Jun 2017 05:40:21 +1000")
Aleksa Sarai <asarai-l3A5Bk7waGM@public.gmane.org> writes:
>> Another easy entry point is to see that a multi-threaded setuid won't
>> change the credentials on a zombie thread group leader. Which can allow
>> sending signals to a process that the credential change should forbid.
>> This is in violation of posix and the semantics we attempt to enforce in
>> linux.
>
> I might be completely wrong on this point (and I haven't looked at the patches),
> but I was under the impression that multi-threaded set[ug]id was implemented in
> userspace (by glibc's nptl(7) library that uses RT signals internally to get
> each thread to update their credentials). And given that, I wouldn't be
> surprised (as a user) that zombie threads will have stale credentials (glibc
> isn't running in those threads anymore).
>
> Am I mistaken in that belief?
Would you be surprised if you learned that if your first thread
exits, it will become a zombie and persist for the lifetime of your
process?
Furthermore all non-thread specific signals will permission check
against that first zombie thread.
Which I think makes this surprising even if you know that setuid is
implemented in userspace.
Eric
WARNING: multiple messages have this Message-ID (diff)
From: ebiederm@xmission.com (Eric W. Biederman)
To: Aleksa Sarai <asarai@suse.de>
Cc: linux-kernel@vger.kernel.org, Kees Cook <keescook@chromium.org>,
Roland McGrath <roland@hack.frob.com>,
linux-api@vger.kernel.org,
Linux Containers <containers@lists.linux-foundation.org>,
Oleg Nesterov <oleg@redhat.com>,
David Howells <dhowells@redhat.com>,
Al Viro <viro@ZenIV.linux.org.uk>,
Thomas Gleixner <tglx@linutronix.de>,
Linus Torvalds <torvalds@linux-foundation.org>,
Ingo Molnar <mingo@kernel.org>,
"Michael Kerrisk \(man-pages\)" <mtk.manpages@gmail.com>
Subject: Re: [PATCH 00/26] Fixing wait, exit, ptrace, exec, and CLONE_THREAD
Date: Wed, 07 Jun 2017 06:36:48 -0500 [thread overview]
Message-ID: <87ink8vxkf.fsf@xmission.com> (raw)
In-Reply-To: <dd16b1bb-e99e-69f2-72f4-1be4cb24d18d@suse.de> (Aleksa Sarai's message of "Wed, 7 Jun 2017 05:40:21 +1000")
Aleksa Sarai <asarai@suse.de> writes:
>> Another easy entry point is to see that a multi-threaded setuid won't
>> change the credentials on a zombie thread group leader. Which can allow
>> sending signals to a process that the credential change should forbid.
>> This is in violation of posix and the semantics we attempt to enforce in
>> linux.
>
> I might be completely wrong on this point (and I haven't looked at the patches),
> but I was under the impression that multi-threaded set[ug]id was implemented in
> userspace (by glibc's nptl(7) library that uses RT signals internally to get
> each thread to update their credentials). And given that, I wouldn't be
> surprised (as a user) that zombie threads will have stale credentials (glibc
> isn't running in those threads anymore).
>
> Am I mistaken in that belief?
Would you be surprised if you learned that if your first thread
exits, it will become a zombie and persist for the lifetime of your
process?
Furthermore all non-thread specific signals will permission check
against that first zombie thread.
Which I think makes this surprising even if you know that setuid is
implemented in userspace.
Eric
next prev parent reply other threads:[~2017-06-07 11:36 UTC|newest]
Thread overview: 62+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-06-06 19:01 [PATCH 00/26] Fixing wait, exit, ptrace, exec, and CLONE_THREAD Eric W. Biederman
2017-06-06 19:01 ` Eric W. Biederman
2017-06-06 19:03 ` [PATCH 01/26] alpha: Remove unused TASK_GROUP_LEADER Eric W. Biederman
2017-06-06 19:03 ` [PATCH 02/26] cgroup: Don't open code tasklist_empty() Eric W. Biederman
2017-06-06 19:03 ` [PATCH 03/26] signal: Do not perform permission checks when sending pdeath_signal Eric W. Biederman
[not found] ` <20170606190338.28347-3-ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2017-06-06 20:01 ` Linus Torvalds
2017-06-06 20:01 ` Linus Torvalds
[not found] ` <CA+55aFya7CgNozFrhQ9qk40UhZAD8SMva1+Y1vQ0YUEbpUpQUA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2017-06-07 11:23 ` Eric W. Biederman
2017-06-07 11:23 ` Eric W. Biederman
2017-06-06 21:42 ` Richard Weinberger
2017-06-06 21:42 ` Richard Weinberger
2017-06-06 19:03 ` [PATCH 04/26] signal: Make group_send_sig_info static Eric W. Biederman
2017-06-06 19:03 ` [PATCH 06/26] rlimit: Remove unnecessary grab of tasklist_lock Eric W. Biederman
2017-06-07 12:36 ` Oleg Nesterov
[not found] ` <20170607123657.GA22199-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2017-06-07 14:08 ` Eric W. Biederman
2017-06-07 14:08 ` Eric W. Biederman
2017-06-06 19:03 ` [PATCH 07/26] pidns: Improve the error handling in alloc_pid Eric W. Biederman
2017-06-06 19:03 ` [PATCH 08/26] exit: Make the runqueue rcu safe Eric W. Biederman
[not found] ` <20170606190338.28347-8-ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2017-06-07 13:16 ` Oleg Nesterov
2017-06-07 13:16 ` Oleg Nesterov
2017-06-06 19:03 ` [PATCH 09/26] signal: Don't allow sending SIGKILL or SIGSTOP to init Eric W. Biederman
2017-06-06 19:03 ` [PATCH 10/26] ptrace: Simplify ptrace_detach & exit_ptrace Eric W. Biederman
2017-06-06 19:03 ` [PATCH 11/26] wait: Properly implement __WCLONE handling in the presence of exec and ptrace Eric W. Biederman
2017-06-06 19:03 ` [PATCH 12/26] wait: Directly test for the two cases where wait_task_zombie is called Eric W. Biederman
2017-06-06 19:03 ` [PATCH 17/26] exit: Rework the exit states for ptracees Eric W. Biederman
[not found] ` <20170606190338.28347-1-ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2017-06-06 19:03 ` [PATCH 05/26] exit: Remove the pointless clearing of SIGPENDING in __exit_signal Eric W. Biederman
2017-06-06 19:03 ` Eric W. Biederman
2017-06-06 19:03 ` [PATCH 13/26] wait: Remove unused delay_group_leader Eric W. Biederman
2017-06-06 19:03 ` Eric W. Biederman
2017-06-06 19:03 ` [PATCH 14/26] wait: Move changing of ptrace from wait_consider_task into wait_task_stopped Eric W. Biederman
2017-06-06 19:03 ` Eric W. Biederman
2017-06-06 19:03 ` [PATCH 15/26] wait: Don't delay !ptrace_reparented leaders Eric W. Biederman
2017-06-06 19:03 ` Eric W. Biederman
2017-06-06 19:03 ` [PATCH 16/26] exit: Fix reporting a ptraced !reparented leader has exited Eric W. Biederman
2017-06-06 19:03 ` Eric W. Biederman
2017-06-06 19:03 ` [PATCH 18/26] wait: Fix WSTOPPED on a ptraced child Eric W. Biederman
2017-06-06 19:03 ` Eric W. Biederman
2017-06-06 19:03 ` [PATCH 19/26] wait: Simpler code for clearing notask_error in wait_consider_task Eric W. Biederman
2017-06-06 19:03 ` Eric W. Biederman
2017-06-06 19:03 ` [PATCH 20/26] wait: Don't pass the list to wait_consider_task Eric W. Biederman
2017-06-06 19:03 ` Eric W. Biederman
2017-06-06 19:03 ` [PATCH 22/26] exit: Fix auto-wait of ptraced children Eric W. Biederman
2017-06-06 19:03 ` Eric W. Biederman
2017-06-06 19:03 ` [PATCH 23/26] signal: Fix SIGCONT before group stop completes Eric W. Biederman
2017-06-06 19:03 ` Eric W. Biederman
2017-06-06 19:03 ` [PATCH 24/26] signal: In ptrace_stop improve identical signal detection Eric W. Biederman
2017-06-06 19:03 ` Eric W. Biederman
2017-06-06 19:03 ` [PATCH 21/26] wait: Optmize waitpid Eric W. Biederman
2017-06-06 19:03 ` [PATCH 25/26] signal: In ptrace_stop use CLD_TRAPPED in all ptrace signals Eric W. Biederman
2017-06-06 19:03 ` [PATCH 26/26] pidns: Ensure zap_pid_ns_processes always terminates Eric W. Biederman
[not found] ` <877f0pym71.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2017-06-06 19:40 ` [PATCH 00/26] Fixing wait, exit, ptrace, exec, and CLONE_THREAD Aleksa Sarai
2017-06-06 19:40 ` Aleksa Sarai
[not found] ` <dd16b1bb-e99e-69f2-72f4-1be4cb24d18d-l3A5Bk7waGM@public.gmane.org>
2017-06-07 11:36 ` Eric W. Biederman
2017-06-07 11:36 ` Eric W. Biederman [this message]
2017-06-07 11:36 ` Eric W. Biederman
[not found] ` <87ink8vxkf.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2017-06-07 12:21 ` Aleksa Sarai
2017-06-07 12:21 ` Aleksa Sarai
2017-06-06 20:07 ` Linus Torvalds
2017-06-06 20:07 ` Linus Torvalds
[not found] ` <CA+55aFze5rR+rGcG6kt=8PtfgAcs02jqQ7Gm-1=1MzkbA7_nqA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2017-06-07 15:59 ` Eric W. Biederman
2017-06-07 15:59 ` Eric W. Biederman
2017-06-07 15:59 ` Eric W. Biederman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87ink8vxkf.fsf@xmission.com \
--to=ebiederm-as9lmozglivwk0htik3j/w@public.gmane.org \
--cc=asarai-l3A5Bk7waGM@public.gmane.org \
--cc=containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org \
--cc=dhowells-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=keescook-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org \
--cc=linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=mingo-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org \
--cc=mtk.manpages-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org \
--cc=oleg-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=roland-/Z5OmTQCD9xF6kxbq+BtvQ@public.gmane.org \
--cc=tglx-hfZtesqFncYOwBW4kG4KsQ@public.gmane.org \
--cc=torvalds-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org \
--cc=viro-3bDd1+5oDREiFSDQTTA3OLVCufUGDwFn@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.