Re: patch to make Linux capabilities into something useful (v 0.3.1)

[David Madore <david.madore@ens.fr>]

On Sat, Sep 09, 2006 at 01:01:02AM +0000, David Wagner wrote:
> David Madore  wrote:
> >On Fri, Sep 08, 2006 at 12:54:29AM +0200, Pavel Machek wrote:
> >>		      Alternatively disallow suid/sgid-anything exec
> >> when all "usual" capabilities are not present.
> >
> >This is probably too stringent: remove any trivial capability
> >whatsoever and you lose a rather important ability.
> 
> This might not be so terrible.  At least, I'm not sure I'd rule it
> out at this point -- it seems like it might be worth considering.

The following patch (follows version 0.4.3 of my main patch) should
make people happy in this respect: it adds a securebit (off by
default) to enable suid non-root execution by underprivileged
processes.

Signed-off-by: David A. Madore <david.madore@ens.fr>

---
 fs/exec.c                  |   16 ++++++++++++----
 include/linux/securebits.h |    9 +++++++++
 2 files changed, 21 insertions(+), 4 deletions(-)

diff --git a/fs/exec.c b/fs/exec.c
index 1cb5e34..adf834b 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -44,6 +44,7 @@ #include <linux/proc_fs.h>
 #include <linux/ptrace.h>
 #include <linux/mount.h>
 #include <linux/security.h>
+#include <linux/securebits.h>
 #include <linux/syscalls.h>
 #include <linux/rmap.h>
 #include <linux/acct.h>
@@ -918,6 +919,7 @@ int prepare_binprm(struct linux_binprm *
 	int mode;
 	struct inode * inode = bprm->file->f_dentry->d_inode;
 	int retval;
+	char ok_to_sxid;
 
 	mode = inode->i_mode;
 	if (bprm->file->f_op == NULL)
@@ -928,9 +930,16 @@ int prepare_binprm(struct linux_binprm *
 	bprm->is_suid = 0;
 	bprm->is_sgid = 0;
 
-	if(!(bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID)) {
+	ok_to_sxid = capable(CAP_REG_SXID)
+	  && !(bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID);
+	if (!cap_issubset(CAP_REGULAR_SET, current->cap_permitted)
+	    && !issecure(SECURE_UNDERPRIVILEGED_MAY_SXID)
+	    && (issecure(SECURE_NOROOT) || inode->i_uid != 0))
+		ok_to_sxid = 0;
+
+	if (ok_to_sxid) {
 		/* Set-uid? */
-		if (mode & S_ISUID && capable(CAP_REG_SXID)) {
+		if (mode & S_ISUID) {
 			bprm->is_suid = 1;
 			current->personality &= ~PER_CLEAR_ON_SETID;
 			bprm->e_uid = inode->i_uid;
@@ -942,8 +951,7 @@ int prepare_binprm(struct linux_binprm *
 		 * is a candidate for mandatory locking, not a setgid
 		 * executable.
 		 */
-		if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)
-		    && capable(CAP_REG_SXID)) {
+		if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) {
 			bprm->is_sgid = 1;
 			current->personality &= ~PER_CLEAR_ON_SETID;
 			bprm->e_gid = inode->i_gid;
diff --git a/include/linux/securebits.h b/include/linux/securebits.h
index 5b06178..16e8f3e 100644
--- a/include/linux/securebits.h
+++ b/include/linux/securebits.h
@@ -18,6 +18,15 @@ #define SECURE_NOROOT            0
    privileges. When unset, setuid doesn't change privileges. */
 #define SECURE_NO_SETUID_FIXUP   2
 
+/* When set, allow underprivileged processes (= not possessing all
+   "regular" caps) to execute SUID/SGID executables (this is a
+   security issue as such executables might be surprised to run with
+   reduced privileges); if SECURE_NOROOT is _not_ set, this _does not_
+   apply to SUID root processes (they are already made secure by
+   raising all caps).  Removing the (regular) CAP_REG_SXID capability
+   also always inhibits any kind of SUID/SGID. */
+#define SECURE_UNDERPRIVILEGED_MAY_SXID 4
+
 /* Each securesetting is implemented using two bits. One bit specify
    whether the setting is on or off. The other bit specify whether the
    setting is fixed or not. A setting which is fixed cannot be changed