From mboxrd@z Thu Jan 1 00:00:00 1970 From: Florian Weimer Subject: Re: Fixing setfsuid/setfsgid Date: Wed, 22 Jan 2014 15:06:01 +0100 Message-ID: <52DFD049.7070605@redhat.com> References: <52DFBC4E.3060103@redhat.com> <20140122085653.7718752e@tlielax.poochiereds.net> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: linux-fsdevel@vger.kernel.org, Jim Lieb To: Jeff Layton Return-path: Received: from mx1.redhat.com ([209.132.183.28]:8421 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754645AbaAVOGF (ORCPT ); Wed, 22 Jan 2014 09:06:05 -0500 In-Reply-To: <20140122085653.7718752e@tlielax.poochiereds.net> Sender: linux-fsdevel-owner@vger.kernel.org List-ID: On 01/22/2014 02:56 PM, Jeff Layton wrote: > On Wed, 22 Jan 2014 13:40:46 +0100 > Florian Weimer wrote: > >> At present, setfsuid and setfsgid return the same value on success and >> on error, so it is rather difficult to check for errors. Since the >> userns changes at least, failure can not only be caused by lack of the >> CAP_SETUID capability, but also by an out-of-memory situation. >> > > It is awkward, but how is it ambiguous? If you get back the same value > you passed in, then you know that nothing changed. It returns the old value, not the new value, just like umask. >> * Introduce new system calls setfsuid1, fetfsgid1 which have the usual >> "return -errno on failure, 0 on success" semantics. >> >> * Introduce getfsuid, getfsgid, so that applications can check for >> failure by noting that the fs?id did not change. These system calls >> might have other uses as well. Emulation in glibc by parsing >> /proc/self/status is possible. >> > > #2 sounds quite reasonable. It's simple, and having a setfsuid() > without a way to definitively fetch the current value is dumb. Yes, it's certainly simple, and we can try to do some magic in glibc to deprecate looking at the return value of setfsuid. getumask seems to missing as well. >> * Don't bother with fs?id at all anymore and attach effective security >> information to descriptors, which are then inherited by the *at >> functions. This is far more invasive, but would solve the >> multi-threading ambiguity and could be reasonably extended to umask and >> security contexts. This would need new system calls fsetuid, fsetgid, >> and probably socketat (for bind/connect) and perhaps socketpairat. >> > > (cc'ing Jim Lieb) > > I know that Jim had been working on something along these lines, but I > don't know the current state of that work... Interesting, thanks. -- Florian Weimer / Red Hat Product Security Team