From: "Serge E. Hallyn" <serge-A9i7LUbDfNHQT0dZR+AlfA@public.gmane.org>
To: Andy Lutomirski <luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org>
Cc: Serge Hallyn
<serge.hallyn-GeWIH/nMZzLQT0dZR+AlfA@public.gmane.org>,
Christoph Lameter <cl-vYTEC60ixJUAvxtiuMwx3w@public.gmane.org>,
Serge Hallyn
<serge.hallyn-Z7WLFzj8eWMS+FvcfC7Uqw@public.gmane.org>,
Aaron Jones
<aaronmdjones-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>,
Ted Ts'o <tytso-3s7WtUTddSA@public.gmane.org>,
LSM List
<linux-security-module-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
Andrew Morton
<akpm-hQyY1W1yCW8ekmWlsbkhG0B+6BGkLq7r@public.gmane.org>,
"Andrew G. Morgan"
<morgan-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>,
Mimi Zohar
<zohar-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>,
Austin S Hemmelgarn
<ahferroin7-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>,
Markku Savela <msa-kXoF896ld44xHbG02/KK1g@public.gmane.org>,
Jarkko Sakkinen
<jarkko.sakkinen-VuQAYsv1563Yd54FQh9/CA@public.gmane.org>,
"linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org"
<linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
Linux API <linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
Michael Kerrisk
<mtk.manpages-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>,
Jonathan Corbet <corbet-T1hC0tSOHrs@public.gmane.org>
Subject: Re: [PATCH] capabilities: Ambient capability set V1
Date: Mon, 23 Feb 2015 10:45:57 -0600 [thread overview]
Message-ID: <20150223164557.GA32181@mail.hallyn.com> (raw)
In-Reply-To: <CALCETrW78805ayUL=ZYBdFwVdDvJZus2JL0VVmEBE8=L1Nm5Sw-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
On Mon, Feb 23, 2015 at 08:33:58AM -0800, Andy Lutomirski wrote:
> On Mon, Feb 23, 2015 at 8:16 AM, Serge Hallyn <serge.hallyn-GeWIH/nMZzLQT0dZR+AlfA@public.gmane.org> wrote:
> > Quoting Christoph Lameter (cl-vYTEC60ixJUAvxtiuMwx3w@public.gmane.org):
> >> Ok 4.0-rc1 is out and this patch has been sitting here for a couple of
> >> weeks without comment after an intensive discussion about the RFCs.
> >>
> >> Since there were no objections: Is there any chance to get this into -next
> >> somehow?
> >
> > Andrew Morgan and Andy Lutomirski appear to have a similar concern
> > but competing ideas on how to address them. We need them to agree
> > on an approach.
> >
> > The core concern for amorgan is that an unprivileged user not be
> > able to cause a privileged program to run in a way that it fails to
> > drop privilege before running unprivileged-user-provided code.
> >
> > Andy Lutomirski's concern is simply that code which is currently
> > doing the right thing to drop privilege not be run in a way that
> > it thinks it is dropping privilege, but in fact is not.
> >
>
> I share both concerns.
>
> > (Please correct me where I've mis-spoken or misunderstood)
> >
> > Since your desire is precisely for a mode where dropping privilege
> > works as usual, but exec then re-gains some or all of that privilege,
> > we need to either agree on a way to enter that mode that ordinary
> > use caes can't be tricked into using, or find a way for legacy
> > users to be tpiped off as to what's going on (without having to be
> > re-written)
>
> Is there really a need to drop privilege and then regain it or is it
> sufficient to keep the privilege permitted (and perhaps ambient, too)
> and just to have execve not drop it for you? I assume the latter.
Well right, any perceived security benefit of the temporary drop would
seem to be easily debunked (just run shell for exec /bin/sh to get
around it)
So this is more of a desire, I suspect, for regular programs which
drop privilege to still be usable in this environment.
I think this may be a decent place for a compromise. Attempts to
drop privilege when ambient caps are set return EPERM.
-serge
next prev parent reply other threads:[~2015-02-23 16:45 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-02-05 21:56 [PATCH] capabilities: Ambient capability set V1 Christoph Lameter
[not found] ` <alpine.DEB.2.11.1502051554500.4876-gkYfJU5Cukgdnm+yROfE0A@public.gmane.org>
2015-02-23 14:58 ` Christoph Lameter
2015-02-23 15:44 ` Andy Lutomirski
[not found] ` <CALCETrWJCcBBGGp21C4cdtiU79K-P3t+6rFJUWcXcLR1jqrrFQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2015-02-23 15:53 ` Christoph Lameter
2015-02-23 15:59 ` Andy Lutomirski
2015-02-23 16:41 ` Christoph Lameter
2015-02-23 23:51 ` Andy Lutomirski
2015-02-24 15:48 ` Christoph Lameter
2015-02-23 16:16 ` Serge Hallyn
2015-02-23 16:33 ` Andy Lutomirski
[not found] ` <CALCETrW78805ayUL=ZYBdFwVdDvJZus2JL0VVmEBE8=L1Nm5Sw-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2015-02-23 16:45 ` Serge E. Hallyn [this message]
2015-02-23 16:47 ` Christoph Lameter
2015-02-23 16:44 ` Christoph Lameter
2015-02-23 16:46 ` Serge E. Hallyn
2015-02-23 16:50 ` Christoph Lameter
2015-02-23 18:15 ` Serge Hallyn
2015-02-23 18:27 ` Christoph Lameter
2015-02-24 5:19 ` Serge E. Hallyn
[not found] ` <20150224051928.GA14755-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2015-02-24 15:47 ` Serge E. Hallyn
2015-02-24 15:58 ` Christoph Lameter
2015-02-24 16:44 ` Serge Hallyn
2015-02-24 17:28 ` Christoph Lameter
2015-02-25 3:32 ` Serge Hallyn
2015-02-25 20:25 ` Christoph Lameter
2015-02-26 15:35 ` Serge E. Hallyn
[not found] ` <20150226153524.GC15182-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2015-02-26 18:28 ` Christoph Lameter
2015-02-26 19:32 ` Serge E. Hallyn
2015-02-26 19:38 ` Andy Lutomirski
[not found] ` <CALCETrWpKiurZEEOT25i_xrtQyk5dht+wjUO4+tGs+N_7JCdYA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2015-02-26 20:16 ` Christoph Lameter
2015-02-26 20:33 ` Serge E. Hallyn
[not found] ` <20150226193200.GA17709-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2015-02-26 20:13 ` Christoph Lameter
2015-02-26 20:34 ` Serge E. Hallyn
2015-02-26 20:51 ` Andy Lutomirski
2015-02-26 20:55 ` Serge E. Hallyn
[not found] ` <20150226205512.GA19273-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2015-02-26 20:58 ` Andy Lutomirski
2015-02-26 21:19 ` Serge E. Hallyn
2015-02-26 21:29 ` Christoph Lameter
2015-02-26 21:09 ` Christoph Lameter
[not found] ` <alpine.DEB.2.11.1502261507450.8274-gkYfJU5Cukgdnm+yROfE0A@public.gmane.org>
2015-02-26 21:13 ` Serge E. Hallyn
2015-02-26 21:23 ` Christoph Lameter
2015-02-26 21:32 ` Serge E. Hallyn
2015-02-26 21:37 ` Christoph Lameter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150223164557.GA32181@mail.hallyn.com \
--to=serge-a9i7lubdfnhqt0dzr+alfa@public.gmane.org \
--cc=aaronmdjones-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org \
--cc=ahferroin7-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org \
--cc=akpm-hQyY1W1yCW8ekmWlsbkhG0B+6BGkLq7r@public.gmane.org \
--cc=cl-vYTEC60ixJUAvxtiuMwx3w@public.gmane.org \
--cc=corbet-T1hC0tSOHrs@public.gmane.org \
--cc=jarkko.sakkinen-VuQAYsv1563Yd54FQh9/CA@public.gmane.org \
--cc=linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-security-module-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org \
--cc=morgan-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org \
--cc=msa-kXoF896ld44xHbG02/KK1g@public.gmane.org \
--cc=mtk.manpages-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org \
--cc=serge.hallyn-GeWIH/nMZzLQT0dZR+AlfA@public.gmane.org \
--cc=serge.hallyn-Z7WLFzj8eWMS+FvcfC7Uqw@public.gmane.org \
--cc=tytso-3s7WtUTddSA@public.gmane.org \
--cc=zohar-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).