From: sergeh@kernel.org
To: Kees Cook <kees@kernel.org>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>,
Max Kellermann <max.kellermann@ionos.com>,
"Serge E. Hallyn" <serge@hallyn.com>,
paul@paul-moore.com, jmorris@namei.org,
Andy Lutomirski <luto@kernel.org>,
morgan@kernel.org, Christian Brauner <christian@brauner.io>,
Jann Horn <jannh@google.com>,
linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH] exec: Correct the permission check for unsafe exec
Date: Fri, 16 May 2025 21:48:58 +0000 [thread overview]
Message-ID: <aCeyyly3NFSvsZYN@lei> (raw)
In-Reply-To: <202505151451.638C22B@keescook>
On Thu, May 15, 2025 at 03:09:48PM -0700, Kees Cook wrote:
> On Thu, May 15, 2025 at 11:24:47AM -0500, Eric W. Biederman wrote:
> > I have condensed the logic from Linux-2.4.0-test12 to just:
> > id_changed = !uid_eq(new->euid, old->euid) || !in_group_p(new->egid);
> >
> > This change is userspace visible, but I don't expect anyone to care.
> > [...]
> > -static inline bool __is_setuid(struct cred *new, const struct cred *old)
> > -{ return !uid_eq(new->euid, old->uid); }
> > -
> > -static inline bool __is_setgid(struct cred *new, const struct cred *old)
> > -{ return !gid_eq(new->egid, old->gid); }
> > -
> > [...]
> > - is_setid = __is_setuid(new, old) || __is_setgid(new, old);
> > + id_changed = !uid_eq(new->euid, old->euid) || !in_group_p(new->egid);
>
> The core change here is testing for differing euid rather than
> mismatched uid/euid. (And checking for egid in the set of all groups.)
>
> Imagined situations:
>
> - setuid process is sharing fs. We already believe this is a non-issue,
> as Jann pointed out about Chrome's order of operations, so so changes
> here are likely fine.
>
> - somehow ptracing a process with uid!=euid, and it tries to exec a
> different setuid==euid ELF. Is switching ELF images a security
> boundary? Probably not realistically.
>
> - setuid process sets NNP and execs a setuid==euid ELF, expecting to
> have euid stripped. That doesn't happen any more. This is the most
Yeah, that had been my first concern: that nnp users will have learned
about and therefore started depending upon this behavior. But right
now while euid gets stripped, capabilities do not, so the current
situation is actually far more unsafe.
> worrisome case, but a program like that should _really_ have dropped
> euid first if it is depending on that behavior. Hmmm. Probably some
> code searching is needed...
I had started looking through the debian code search, but didn't finish.
Mostly saw util-linux and systemd...
> -Kees
>
> --
> Kees Cook
next prev parent reply other threads:[~2025-05-16 21:49 UTC|newest]
Thread overview: 43+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-03-06 8:26 [PATCH] security/commoncap: don't assume "setid" if all ids are identical Max Kellermann
2025-03-07 10:32 ` kernel test robot
2025-03-09 15:19 ` Serge E. Hallyn
2025-04-28 11:43 ` Max Kellermann
2025-05-06 13:21 ` Serge E. Hallyn
2025-05-06 14:51 ` Max Kellermann
2025-05-07 3:16 ` Andrew G. Morgan
2025-05-07 6:33 ` Max Kellermann
2025-05-08 3:32 ` Andrew G. Morgan
2025-05-08 6:38 ` Max Kellermann
2025-05-08 8:37 ` Max Kellermann
2025-05-09 17:50 ` Max Kellermann
2025-05-08 22:12 ` sergeh
2025-05-09 6:15 ` Max Kellermann
2025-05-09 14:44 ` Eric W. Biederman
2025-05-09 16:53 ` Max Kellermann
2025-05-09 20:17 ` Serge E. Hallyn
2025-05-09 18:41 ` [PATCH] Documentation/no_new_privs.rst: document dropping effective ids Max Kellermann
2025-05-15 16:24 ` [PATCH] exec: Correct the permission check for unsafe exec Eric W. Biederman
2025-05-15 22:09 ` Kees Cook
2025-05-16 15:26 ` Eric W. Biederman
2025-05-16 18:06 ` Jann Horn
2025-05-16 18:08 ` Jann Horn
2025-05-16 21:46 ` sergeh
2025-05-20 22:38 ` Jann Horn
2025-05-20 22:43 ` Kees Cook
2025-05-16 23:29 ` Eric W. Biederman
2025-05-20 20:20 ` Kees Cook
2025-05-20 22:13 ` [PATCH v2] " Eric W. Biederman
2025-05-20 22:35 ` Kees Cook
2025-05-20 23:53 ` Jann Horn
2025-05-21 15:27 ` Eric W. Biederman
2025-05-21 15:36 ` Jann Horn
2025-06-11 0:18 ` Paul Moore
2025-06-11 14:23 ` Max Kellermann
2025-06-13 15:07 ` Eric W. Biederman
2025-06-12 21:26 ` Serge E. Hallyn
2025-06-13 1:48 ` Kees Cook
2025-06-13 15:28 ` Paul Moore
2025-06-16 19:57 ` Kees Cook
2025-06-16 20:16 ` Paul Moore
2025-05-16 21:48 ` sergeh [this message]
2025-05-16 21:49 ` [PATCH] " sergeh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aCeyyly3NFSvsZYN@lei \
--to=sergeh@kernel.org \
--cc=christian@brauner.io \
--cc=ebiederm@xmission.com \
--cc=jannh@google.com \
--cc=jmorris@namei.org \
--cc=kees@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=luto@kernel.org \
--cc=max.kellermann@ionos.com \
--cc=morgan@kernel.org \
--cc=paul@paul-moore.com \
--cc=serge@hallyn.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox