From: James Morris <jmorris@namei.org>
To: Igor Lubashev <ilubashe@akamai.com>
Cc: Serge Hallyn <serge@hallyn.com>,
linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org, David Howells <dhowells@redhat.com>,
Al Viro <viro@ftp.linux.org.uk>
Subject: Re: [RFC PATCH 0/1] security: add SECURE_KEEP_FSUID to preserve fsuid/fsgid across execve
Date: Fri, 14 Jun 2019 13:38:53 +1000 (AEST) [thread overview]
Message-ID: <alpine.LRH.2.21.1906141338350.7150@namei.org> (raw)
In-Reply-To: <1560473087-27754-1-git-send-email-ilubashe@akamai.com>
[Adding David and Al]
On Thu, 13 Jun 2019, Igor Lubashev wrote:
> I've posted this in March but received no response. Reposting.
>
> This patch introduces SECURE_KEEP_FSUID to allow fsuid/fsgid to be
> preserved across execve. It is currently impossible to execve a
> program such that effective and filesystem uid differ.
>
> The need for this functionality arose from a desire to allow certain
> non-privileged users to run perf. To do this, we install perf without
> set-uid-root and have a set-uid-root wrapper decide who is allowed to
> run perf (and with what arguments).
>
> The wrapper must execve perf with real and effective root uid, because
> perf and KASLR require this. However, that presently resets fsuid to
> root, giving the user ability to read and overwrite any file owned by
> root (perf report -i, perf record -o). Also, perf record will create
> perf.data that cannot be deleted by the user.
>
> We cannot reset /proc/sys/kernel/perf_event_paranoid to a permissive
> level, since we must be selective which users have the permissions.
>
> Of course, we could fix our problem by a patch to perf to allow
> passing a username on the command line and having perf execute
> setfsuid before opening files. However, perf is not the only program
> that uses kernel features that require root uid/euid, so a general
> solution that does not involve updating all such programs seems
> warranted.
>
> I will update man pages, if this patch is deemed a good idea.
>
> Igor Lubashev (1):
> security: add SECURE_KEEP_FSUID to preserve fsuid/fsgid across execve
>
> include/uapi/linux/securebits.h | 10 +++++++++-
> security/commoncap.c | 9 +++++++--
> 2 files changed, 16 insertions(+), 3 deletions(-)
>
>
--
James Morris
<jmorris@namei.org>
next prev parent reply other threads:[~2019-06-14 3:39 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-06-14 0:44 [RFC PATCH 0/1] security: add SECURE_KEEP_FSUID to preserve fsuid/fsgid across execve Igor Lubashev
2019-06-14 0:44 ` [RFC PATCH 1/1] " Igor Lubashev
2019-06-14 3:38 ` James Morris [this message]
2019-06-14 5:09 ` [RFC PATCH 0/1] " James Morris
2019-06-15 1:16 ` Lubashev, Igor
2019-06-15 3:53 ` James Morris
2019-07-03 0:58 ` Lubashev, Igor
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=alpine.LRH.2.21.1906141338350.7150@namei.org \
--to=jmorris@namei.org \
--cc=dhowells@redhat.com \
--cc=ilubashe@akamai.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=serge@hallyn.com \
--cc=viro@ftp.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox