From: "Theodore Ts'o" <tytso@mit.edu>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: "Kees Cook" <keescook@chromium.org>,
"Mickaël Salaün" <mic@digikod.net>,
"Al Viro" <viro@zeniv.linux.org.uk>,
"Andrew Morton" <akpm@linux-foundation.org>,
"Christian Heimes" <christian@python.org>,
"Geert Uytterhoeven" <geert@linux-m68k.org>,
"James Morris" <jmorris@namei.org>,
"Luis Chamberlain" <mcgrof@kernel.org>,
"Mimi Zohar" <zohar@linux.ibm.com>,
"Muhammad Usama Anjum" <usama.anjum@collabora.com>,
"Paul Moore" <paul@paul-moore.com>,
"Philippe Trébuchet" <philippe.trebuchet@ssi.gouv.fr>,
"Shuah Khan" <skhan@linuxfoundation.org>,
"Steve Dower" <steve.dower@python.org>,
"Thibaut Sautereau" <thibaut.sautereau@ssi.gouv.fr>,
"Vincent Strubel" <vincent.strubel@ssi.gouv.fr>,
linux-fsdevel <linux-fsdevel@vger.kernel.org>,
linux-integrity <linux-integrity@vger.kernel.org>,
"Linux Kernel Mailing List" <linux-kernel@vger.kernel.org>,
"LSM List" <linux-security-module@vger.kernel.org>,
"Christian Brauner" <brauner@kernel.org>
Subject: Re: [GIT PULL] Add trusted_for(2) (was O_MAYEXEC)
Date: Tue, 5 Apr 2022 18:21:39 -0400 [thread overview]
Message-ID: <YkzA8/3sl86W5oCX@mit.edu> (raw)
In-Reply-To: <CAHk-=whb=XuU=LGKnJWaa7LOYQz9VwHs8SLfgLbT5sf2VAbX1A@mail.gmail.com>
On Mon, Apr 04, 2022 at 04:26:44PM -0700, Linus Torvalds wrote:
> > > (a) "what about suid bits that user space cannot react to"
> >
> > What do you mean here? Do you mean setid bits on the file itself?
>
> Right.
>
> Maybe we don't care.
>
> Maybe we do.
>
> Is the user-space loader going to honor them? Is it going to ignore
> them? I don't know. And it actually interacts with things like
> 'nosuid', which the kernel does know about, and user space has a hard
> time figuring out.
So there *used* to be suidperl which was a setuid version of perl with
some extra security checks. (See [1] for more details.) The suidperl
binary would be used by #!/usr/bin/perl so it could honor setuid bits
on perl scripts, but it was deprecated in Perl 5.8 and removed in Perl
5.12 in 2010[2].
[1] https://mattmccutchen.net/suidperl.html
[2] https://metacpan.org/release/SHAY/perl-5.20.2/view/pod/perl5120delta.pod#Deprecations
So it's possible that the user-space loader might try to honor them,
and if there was such an example "in the field", it might be nice if
there was a way for the kernel to advise userspace about the nosuid.
But I'm not aware of any other shell script interpreter that tried do
what perl did with suidperl.
> So if the point is "give me an interface so that I can do the same
> thing a kernel execve() loader would do", then those sgid/suid bits
> actually may be exactly the kind of thing that user space wants the
> kernel to react to - should it ignore them, or should it do something
> special when it sees that they are set?
>
> I'm not saying that they *should* be something we care about. All I'm
> saying is that I want that *discussion* to happen.
I'm not convinced we should. I suppose *if* the shell script was
suid, *and* the file system was mounted nosuid, then the check could
return false, and that would be mostly harmless even if the script
interpreter didn't support setuid. But it's extra complexity, and in
theory it could break a setuid script, where the setuid bit was
previously a no-op, and it now might cause a problem for that user.
- Ted
next prev parent reply other threads:[~2022-04-06 5:12 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-03-21 16:15 [GIT PULL] Add trusted_for(2) (was O_MAYEXEC) Mickaël Salaün
2022-03-21 17:38 ` Luis Chamberlain
2022-03-21 18:05 ` Mickaël Salaün
2022-03-21 23:32 ` Luis Chamberlain
2022-03-30 16:06 ` Mickaël Salaün
2022-04-04 18:40 ` Kees Cook
2022-04-04 18:47 ` Linus Torvalds
2022-04-04 20:30 ` Mickaël Salaün
2022-04-04 21:28 ` Linus Torvalds
2022-04-04 21:40 ` Linus Torvalds
2022-04-04 22:25 ` Kees Cook
2022-04-04 23:26 ` Linus Torvalds
2022-04-05 16:09 ` Mickaël Salaün
2022-04-05 16:17 ` Linus Torvalds
2023-02-08 19:32 ` Kees Cook
2023-02-09 15:43 ` Mickaël Salaün
2022-04-05 22:21 ` Theodore Ts'o [this message]
2022-04-05 15:55 ` Mickaël Salaün
2022-04-05 15:38 ` Mickaël Salaün
2022-04-05 14:54 ` Theodore Ts'o
2022-04-05 16:14 ` Mickaël Salaün
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YkzA8/3sl86W5oCX@mit.edu \
--to=tytso@mit.edu \
--cc=akpm@linux-foundation.org \
--cc=brauner@kernel.org \
--cc=christian@python.org \
--cc=geert@linux-m68k.org \
--cc=jmorris@namei.org \
--cc=keescook@chromium.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mcgrof@kernel.org \
--cc=mic@digikod.net \
--cc=paul@paul-moore.com \
--cc=philippe.trebuchet@ssi.gouv.fr \
--cc=skhan@linuxfoundation.org \
--cc=steve.dower@python.org \
--cc=thibaut.sautereau@ssi.gouv.fr \
--cc=torvalds@linux-foundation.org \
--cc=usama.anjum@collabora.com \
--cc=vincent.strubel@ssi.gouv.fr \
--cc=viro@zeniv.linux.org.uk \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).