From: Florian Weimer <fweimer@redhat.com>
To: Jeff Layton <jlayton@redhat.com>
Cc: linux-fsdevel@vger.kernel.org, Jim Lieb <jlieb@panasas.com>
Subject: Re: Fixing setfsuid/setfsgid
Date: Wed, 22 Jan 2014 15:06:01 +0100 [thread overview]
Message-ID: <52DFD049.7070605@redhat.com> (raw)
In-Reply-To: <20140122085653.7718752e@tlielax.poochiereds.net>
On 01/22/2014 02:56 PM, Jeff Layton wrote:
> On Wed, 22 Jan 2014 13:40:46 +0100
> Florian Weimer <fweimer@redhat.com> wrote:
>
>> At present, setfsuid and setfsgid return the same value on success and
>> on error, so it is rather difficult to check for errors. Since the
>> userns changes at least, failure can not only be caused by lack of the
>> CAP_SETUID capability, but also by an out-of-memory situation.
>>
>
> It is awkward, but how is it ambiguous? If you get back the same value
> you passed in, then you know that nothing changed.
It returns the old value, not the new value, just like umask.
>> * Introduce new system calls setfsuid1, fetfsgid1 which have the usual
>> "return -errno on failure, 0 on success" semantics.
>>
>> * Introduce getfsuid, getfsgid, so that applications can check for
>> failure by noting that the fs?id did not change. These system calls
>> might have other uses as well. Emulation in glibc by parsing
>> /proc/self/status is possible.
>>
>
> #2 sounds quite reasonable. It's simple, and having a setfsuid()
> without a way to definitively fetch the current value is dumb.
Yes, it's certainly simple, and we can try to do some magic in glibc to
deprecate looking at the return value of setfsuid. getumask seems to
missing as well.
>> * Don't bother with fs?id at all anymore and attach effective security
>> information to descriptors, which are then inherited by the *at
>> functions. This is far more invasive, but would solve the
>> multi-threading ambiguity and could be reasonably extended to umask and
>> security contexts. This would need new system calls fsetuid, fsetgid,
>> and probably socketat (for bind/connect) and perhaps socketpairat.
>>
>
> (cc'ing Jim Lieb)
>
> I know that Jim had been working on something along these lines, but I
> don't know the current state of that work...
Interesting, thanks.
--
Florian Weimer / Red Hat Product Security Team
next prev parent reply other threads:[~2014-01-22 14:06 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-01-22 12:40 Fixing setfsuid/setfsgid Florian Weimer
2014-01-22 13:56 ` Jeff Layton
2014-01-22 14:06 ` Florian Weimer [this message]
2014-01-22 18:21 ` Jim Lieb
2014-01-23 11:28 ` Florian Weimer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=52DFD049.7070605@redhat.com \
--to=fweimer@redhat.com \
--cc=jlayton@redhat.com \
--cc=jlieb@panasas.com \
--cc=linux-fsdevel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).