From: Max Kellermann <max.kellermann@ionos.com>
To: ebiederm@xmission.com, serge@hallyn.com, paul@paul-moore.com,
jmorris@namei.org, linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org, linux-doc@vger.kernel.org
Cc: Max Kellermann <max.kellermann@ionos.com>
Subject: [PATCH] Documentation/no_new_privs.rst: document dropping effective ids
Date: Fri, 9 May 2025 20:41:05 +0200 [thread overview]
Message-ID: <20250509184105.840928-1-max.kellermann@ionos.com> (raw)
In-Reply-To: <87h61t7siv.fsf@email.froward.int.ebiederm.org>
Usually, execve() preserves the effective ids. Many programs rely on
this to detect setuid/setgid execution and will disable certain
features (such as rejecting certain user input / environment
variables).
However, if NO_NEW_PRIVS is set, effective ids are always reset by
cap_bprm_creds_from_file(), but capabilities are not revoked. That
means the process looks like it's not setuid/setgid, but has full
capabilities, and is effectively a superuser process. This breaks
userspace assumptions.
It was argued [1] that this surprising behavior must not change
because programs might rely on it:
Of course, this leaves many programs vulnerable, but if we decide the
behavior must remain, we should at least document it with a warning.
[1] https://lore.kernel.org/lkml/87h61t7siv.fsf@email.froward.int.ebiederm.org/
Signed-off-by: Max Kellermann <max.kellermann@ionos.com>
---
Documentation/userspace-api/no_new_privs.rst | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/Documentation/userspace-api/no_new_privs.rst b/Documentation/userspace-api/no_new_privs.rst
index d060ea217ea1..89b0884991e9 100644
--- a/Documentation/userspace-api/no_new_privs.rst
+++ b/Documentation/userspace-api/no_new_privs.rst
@@ -29,6 +29,12 @@ bits will no longer change the uid or gid; file capabilities will not
add to the permitted set, and LSMs will not relax constraints after
execve.
+A successful execve call with ``no_new_privs`` will reset the
+effective uid/gid to the real uid/gid, but does not drop capabilities.
+This means that comparing effective and real ids is not a valid method
+to detect setuid/setgid execution; the proper way to do that is
+getauxval(AT_SECURE).
+
To set ``no_new_privs``, use::
prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
--
2.47.2
parent reply other threads:[~2025-05-09 18:41 UTC|newest]
Thread overview: expand[flat|nested] mbox.gz Atom feed
[parent not found: <87h61t7siv.fsf@email.froward.int.ebiederm.org>]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250509184105.840928-1-max.kellermann@ionos.com \
--to=max.kellermann@ionos.com \
--cc=ebiederm@xmission.com \
--cc=jmorris@namei.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=serge@hallyn.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).