From: NeilBrown <neilb@suse.de>
To: Vasiliy Kulikov <segoon@openwall.com>
Cc: kernel-hardening@lists.openwall.com,
Solar Designer <solar@openwall.com>,
Linus Torvalds <torvalds@linux-foundation.org>,
Stephen Smalley <sds@tycho.nsa.gov>,
James Morris <jmorris@namei.org>,
linux-kernel@vger.kernel.org, Greg Kroah-Hartman <gregkh@suse.de>,
Andrew Morton <akpm@linux-foundation.org>,
"David S. Miller" <davem@davemloft.net>,
Jiri Slaby <jslaby@suse.cz>,
Alexander Viro <viro@zeniv.linux.org.uk>,
linux-fsdevel@vger.kernel.org,
KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>,
Eric Paris <eparis@redhat.com>, Willy Tarreau <w@1wt.eu>,
Sebastian Krahmer <krahmer@suse.de>
Subject: Re: [patch v2] move RLIMIT_NPROC check from set_user() to do_execve_common()
Date: Wed, 27 Jul 2011 12:15:49 +1000 [thread overview]
Message-ID: <20110727121549.67a84d18@notabene.brown> (raw)
In-Reply-To: <20110726144848.GA7133@albatros>
On Tue, 26 Jul 2011 18:48:48 +0400 Vasiliy Kulikov <segoon@openwall.com>
wrote:
> Neil, Solar,
>
> On Tue, Jul 26, 2011 at 14:11 +1000, NeilBrown wrote:
> > I don't really see that failing mmap is any more hackish than failing execve.
> >
> > Both are certainly hacks. It is setuid that should fail, but that is
> > problematic.
> >
> > We seem to agree that it is acceptable to delay the failure until the process
> > actually tries to run some code for the user. I just think that
> > mapping-a-file-for-exec is a more direct measure of "trying to run some code
> > for the user" than "execve" is.
> >
> > So they are both hacks, but one it more thorough than the other. In the
> > world of security I would hope that "thorough" would win.
>
> Well, I don't mind against something more generic than the check in
> execve(), however, the usefulness of the check in mmap() is unclear to
> me. You want to make more programs fail after setuid(), but does mmap
> stops really many programs? Do you know any program doing mmap/dlopen
> after setuid() call? What if the program will not do any mmap/dlopen
> and e.g. start to handle network connections or do some computations?
> I suppose the latter case is much more often than mmap/dlopen.
I think I didn't make myself clear.
I don't mean we should intercept the mmap system call.
I mean we could intercept the internal kernel function do_mmap_pgoff.
This is used by the mmap system call but also (and more importantly) by the
execve system call and the uselib system call.
So any attempt to map a file and execute the code in that file - whether via
exec or via mapping a shared object - will go through do_mmap_pgoff.
So if we disable do_mmap_pgoff() requests which ask for execute permission
when a setuid has caused RLIMIT_NPROC to be exceeded, then we catch every
attempt to run the user's code as the user.
I won't catch a situation where an interpreter is already loaded into the
root-owned process and the setuid is followed by loading a script and running
that, it is isn't perfect. But I think it is more general than just trapping
in execve.
NeilBrown
next prev parent reply other threads:[~2011-07-27 2:16 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20110612130953.GA3709@albatros>
[not found] ` <20110706173631.GA5431@albatros>
[not found] ` <CA+55aFyfjG1h2zkkGai_VPM8p5bhWhvNXs1HvuWMgxv4RSywYw@mail.gmail.com>
[not found] ` <20110706185932.GB3299@albatros>
[not found] ` <20110707075610.GA3411@albatros>
[not found] ` <20110707081930.GA4393@albatros>
2011-07-12 13:27 ` [PATCH] move RLIMIT_NPROC check from set_user() to do_execve_common() Vasiliy Kulikov
2011-07-12 21:16 ` Linus Torvalds
2011-07-12 23:14 ` NeilBrown
2011-07-13 6:31 ` Solar Designer
2011-07-13 7:06 ` NeilBrown
2011-07-13 20:46 ` Linus Torvalds
2011-07-14 0:11 ` James Morris
2011-07-14 1:27 ` NeilBrown
2011-07-14 15:06 ` Solar Designer
2011-07-15 3:30 ` NeilBrown
2011-07-15 5:35 ` Willy Tarreau
2011-07-15 6:31 ` [kernel-hardening] " Vasiliy Kulikov
2011-07-15 7:06 ` NeilBrown
2011-07-15 7:38 ` Vasiliy Kulikov
2011-07-15 13:04 ` Solar Designer
2011-07-15 13:58 ` [kernel-hardening] " Stephen Smalley
2011-07-15 15:26 ` Vasiliy Kulikov
2011-07-15 19:54 ` Stephen Smalley
2011-07-21 4:09 ` NeilBrown
2011-07-21 12:48 ` Solar Designer
2011-07-21 18:21 ` Linus Torvalds
2011-07-21 19:39 ` [kernel-hardening] " Solar Designer
2011-07-25 17:14 ` Vasiliy Kulikov
2011-07-25 23:40 ` [kernel-hardening] " Solar Designer
2011-07-26 0:47 ` NeilBrown
2011-07-26 1:16 ` Solar Designer
2011-07-26 4:11 ` NeilBrown
2011-07-26 14:48 ` [patch v2] " Vasiliy Kulikov
2011-07-27 2:15 ` NeilBrown [this message]
2011-07-29 7:07 ` [kernel-hardening] " Vasiliy Kulikov
2011-07-29 8:06 ` Vasiliy Kulikov
2011-07-29 8:11 ` [patch v3] " Vasiliy Kulikov
2011-07-29 8:17 ` James Morris
2011-07-14 1:30 ` [PATCH] " KOSAKI Motohiro
2011-07-13 5:36 ` KOSAKI Motohiro
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20110727121549.67a84d18@notabene.brown \
--to=neilb@suse.de \
--cc=akpm@linux-foundation.org \
--cc=davem@davemloft.net \
--cc=eparis@redhat.com \
--cc=gregkh@suse.de \
--cc=jmorris@namei.org \
--cc=jslaby@suse.cz \
--cc=kernel-hardening@lists.openwall.com \
--cc=kosaki.motohiro@jp.fujitsu.com \
--cc=krahmer@suse.de \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=sds@tycho.nsa.gov \
--cc=segoon@openwall.com \
--cc=solar@openwall.com \
--cc=torvalds@linux-foundation.org \
--cc=viro@zeniv.linux.org.uk \
--cc=w@1wt.eu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).