From: Vasiliy Kulikov <segoon@openwall.com>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: linux-kernel@vger.kernel.org, Greg Kroah-Hartman <gregkh@suse.de>,
Andrew Morton <akpm@linux-foundation.org>,
"David S. Miller" <davem@davemloft.net>,
kernel-hardening@lists.openwall.com, Jiri Slaby <jslaby@suse.cz>,
James Morris <jmorris@namei.org>, Neil Brown <neilb@suse.de>,
Alexander Viro <viro@zeniv.linux.org.uk>,
linux-fsdevel@vger.kernel.org
Subject: [PATCH] move RLIMIT_NPROC check from set_user() to do_execve_common()
Date: Tue, 12 Jul 2011 17:27:23 +0400 [thread overview]
Message-ID: <20110712132723.GA3193@albatros> (raw)
In-Reply-To: <20110707081930.GA4393@albatros>
The patch http://lkml.org/lkml/2003/7/13/226 introduced a RLIMIT_NPROC
check in set_user() to check for NPROC exceeding via setuid() and
similar functions. Before the check there was a possibility to greatly
exceed the allowed number of processes by an unprivileged user if the
program relied on rlimit only. But the check created new security
threat: many poorly written programs simply don't check setuid() return
code and believe it cannot fail if executed with root privileges. So,
the check is removed in this patch because of too often privilege
escalations related to buggy programs.
The NPROC can still be enforced in the common code flow of daemons
spawning user processes. Most of daemons do fork()+setuid()+execve().
The check introduced in execve() enforces the same limit as in setuid()
and doesn't create similar security issues.
Similar check was introduced in -ow patches.
Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
---
fs/exec.c | 13 +++++++++++++
kernel/sys.c | 6 ------
2 files changed, 13 insertions(+), 6 deletions(-)
diff --git a/fs/exec.c b/fs/exec.c
index ea5f748..0baf5c9 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -1436,6 +1436,19 @@ static int do_execve_common(const char *filename,
struct files_struct *displaced;
bool clear_in_exec;
int retval;
+ const struct cred *cred = current_cred();
+
+ /*
+ * We check for RLIMIT_NPROC in execve() instead of set_user() because
+ * too many poorly written programs don't check setuid() return code.
+ * The check in execve() does the same thing for programs doing
+ * setuid()+execve(), but without similar security issues.
+ */
+ if (atomic_read(&cred->user->processes) > rlimit(RLIMIT_NPROC) &&
+ cred->user != INIT_USER) {
+ retval = -EAGAIN;
+ goto out_ret;
+ }
retval = unshare_files(&displaced);
if (retval)
diff --git a/kernel/sys.c b/kernel/sys.c
index e4128b2..0e7509a 100644
--- a/kernel/sys.c
+++ b/kernel/sys.c
@@ -591,12 +591,6 @@ static int set_user(struct cred *new)
if (!new_user)
return -EAGAIN;
- if (atomic_read(&new_user->processes) >= rlimit(RLIMIT_NPROC) &&
- new_user != INIT_USER) {
- free_uid(new_user);
- return -EAGAIN;
- }
-
free_uid(new->user);
new->user = new_user;
return 0;
--
Vasiliy Kulikov
http://www.openwall.com - bringing security into open computing environments
next parent reply other threads:[~2011-07-12 13:27 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20110612130953.GA3709@albatros>
[not found] ` <20110706173631.GA5431@albatros>
[not found] ` <CA+55aFyfjG1h2zkkGai_VPM8p5bhWhvNXs1HvuWMgxv4RSywYw@mail.gmail.com>
[not found] ` <20110706185932.GB3299@albatros>
[not found] ` <20110707075610.GA3411@albatros>
[not found] ` <20110707081930.GA4393@albatros>
2011-07-12 13:27 ` Vasiliy Kulikov [this message]
2011-07-12 21:16 ` [PATCH] move RLIMIT_NPROC check from set_user() to do_execve_common() Linus Torvalds
2011-07-12 23:14 ` NeilBrown
2011-07-13 6:31 ` Solar Designer
2011-07-13 7:06 ` NeilBrown
2011-07-13 20:46 ` Linus Torvalds
2011-07-14 0:11 ` James Morris
2011-07-14 1:27 ` NeilBrown
2011-07-14 15:06 ` Solar Designer
2011-07-15 3:30 ` NeilBrown
2011-07-15 5:35 ` Willy Tarreau
2011-07-15 6:31 ` [kernel-hardening] " Vasiliy Kulikov
2011-07-15 7:06 ` NeilBrown
2011-07-15 7:38 ` Vasiliy Kulikov
2011-07-15 13:04 ` Solar Designer
2011-07-15 13:58 ` [kernel-hardening] " Stephen Smalley
2011-07-15 15:26 ` Vasiliy Kulikov
2011-07-15 19:54 ` Stephen Smalley
2011-07-21 4:09 ` NeilBrown
2011-07-21 12:48 ` Solar Designer
2011-07-21 18:21 ` Linus Torvalds
2011-07-21 19:39 ` [kernel-hardening] " Solar Designer
2011-07-25 17:14 ` Vasiliy Kulikov
2011-07-25 23:40 ` [kernel-hardening] " Solar Designer
2011-07-26 0:47 ` NeilBrown
2011-07-26 1:16 ` Solar Designer
2011-07-26 4:11 ` NeilBrown
2011-07-26 14:48 ` [patch v2] " Vasiliy Kulikov
2011-07-27 2:15 ` NeilBrown
2011-07-29 7:07 ` [kernel-hardening] " Vasiliy Kulikov
2011-07-29 8:06 ` Vasiliy Kulikov
2011-07-29 8:11 ` [patch v3] " Vasiliy Kulikov
2011-07-29 8:17 ` James Morris
2011-07-14 1:30 ` [PATCH] " KOSAKI Motohiro
2011-07-13 5:36 ` KOSAKI Motohiro
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20110712132723.GA3193@albatros \
--to=segoon@openwall.com \
--cc=akpm@linux-foundation.org \
--cc=davem@davemloft.net \
--cc=gregkh@suse.de \
--cc=jmorris@namei.org \
--cc=jslaby@suse.cz \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=neilb@suse.de \
--cc=torvalds@linux-foundation.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).