From: "Theodore Ts'o" <tytso@mit.edu>
To: Jeff Layton <jlayton@redhat.com>
Cc: Andy Lutomirski <luto@amacapital.net>,
Jim Lieb <jlieb@panasas.com>,
"Eric W. Biederman" <ebiederm@xmission.com>,
LSM List <linux-security-module@vger.kernel.org>,
"Serge E. Hallyn" <serge@canonical.com>,
Kees Cook <keescook@chromium.org>,
Linux FS Devel <linux-fsdevel@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
bfields@redhat.com
Subject: Re: Thoughts on credential switching
Date: Sun, 30 Mar 2014 09:03:29 -0400 [thread overview]
Message-ID: <20140330130328.GB7172@thunk.org> (raw)
In-Reply-To: <20140327070802.124fb34c@ipyr.poochiereds.net>
On Thu, Mar 27, 2014 at 07:08:02AM -0700, Jeff Layton wrote:
> I had some time to think about this last night...
>
> While using a fd to pass around credentials is convenient, the danger
> is that it's pretty opaque. You have a fd that you know has creds
> attached to it, but it's hard to be certain what is going to change.
I don't think that's a particularly tough problem. In general, the fd
isn't something that you would want to pass around, and so the process
which generated it will know exactly what it contained.
> Perhaps we can use the flags field for that. So, assuming we have a fd
> with the creds attached, we could do something like:
>
> err = switch_creds(fd, SC_FSUID|SC_FSGID|SC_GROUPS);
>
> ...then the switch_creds syscall could be set up to fail if the new
> credentials had other fields that didn't match those in the current
> task credentials. So if (for instance) the cred->euid were
> different between the two, the above could fail with -EINVAL or
> something.
Huh? The whole *point* is that the creds value will be different, of
course they won't match! I would think this would be over
complicating the interface.
A couple of other things. What I would suggest is that we create a
few new fd flags, to join FD_CLOEXEC:
FD_NOPROCFS disallow being able to open the inode via /proc/<pid>/fd
(but in the case of a creds fd, for bonus points, the
target of the pseudo-symlink could be something like:
"uid: 15806 gid: 100: grps: 27, 50" to aid in debugging
a userspace file server). This also answers Jeff's concern
if for some reason --- I don't know how --- a process
doesn't know what the contents of the creds fd that
it created itself.
FD_NOPASSFD disallow being able to pass the fd via a unix domain socket
FD_LOCKFLAGS if this bit is set, disallow any further changes of FD_CLOEXEC,
FD_NOPROCFS, FD_NOPASSFD, and FD_LOCKFLAGS flags.
Some of the functionality requested by the folks suggesting the "SEAL"
API would also be covered by these fd flags.
In order to solve some potential race concerns, a credsfd must be
created with FD_CLOEXEC and FD_NOPROCFS enabled.
Why is this important even if the anon_inode is owned by root with a
mode of 0? Because if the system is set up to use SELinux or full
Posix capabilities, merely having the a uid of 0 is not special, and
we don't want to allow a process with uid of 0 to be able modify the
mode with the /proc/<pid>/fd/<FD> and then proceed to open the inode
using open. This way, instead of adding special case code to prevent
this from happening, we can add a more general facility which can be
used to solve a few other problems.
Regards,
- Ted
next prev parent reply other threads:[~2014-03-30 17:31 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-03-27 0:23 Thoughts on credential switching Andy Lutomirski
2014-03-27 0:42 ` Serge Hallyn
2014-03-27 1:01 ` Andy Lutomirski
2014-03-27 15:41 ` Florian Weimer
2014-03-27 16:21 ` Andy Lutomirski
2014-03-27 2:48 ` Jeff Layton
2014-03-27 3:05 ` Andy Lutomirski
2014-03-27 3:25 ` Jeff Layton
2014-03-27 14:08 ` Jeff Layton
2014-03-29 6:43 ` Alex Elsayed
2014-03-30 13:03 ` Theodore Ts'o [this message]
2014-03-30 18:56 ` Andy Lutomirski
2014-03-31 11:51 ` Jeff Layton
2014-03-31 18:06 ` Trond Myklebust
2014-03-31 18:12 ` Jeff Layton
2014-03-31 19:26 ` Andy Lutomirski
2014-03-31 20:14 ` Trond Myklebust
2014-03-31 21:25 ` Andy Lutomirski
2014-03-27 12:46 ` Florian Weimer
2014-03-27 13:02 ` Jeff Layton
2014-03-27 13:06 ` Florian Weimer
2014-03-27 13:33 ` Boaz Harrosh
2014-04-22 11:37 ` Florian Weimer
2014-04-22 12:14 ` Boaz Harrosh
2014-04-22 16:35 ` Jim Lieb
2014-03-27 14:01 ` Jeff Layton
2014-03-27 18:26 ` Jeremy Allison
2014-03-27 18:46 ` Andy Lutomirski
2014-03-27 18:56 ` Jeremy Allison
2014-03-27 19:02 ` Andy Lutomirski
2014-03-27 19:30 ` Jim Lieb
2014-03-27 19:45 ` Andy Lutomirski
2014-03-27 20:47 ` Jim Lieb
2014-03-27 21:19 ` Andy Lutomirski
2014-03-31 10:44 ` One Thousand Gnomes
2014-03-31 16:49 ` Andy Lutomirski
2014-04-01 20:22 ` One Thousand Gnomes
2014-03-31 19:05 ` Jeremy Allison
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140330130328.GB7172@thunk.org \
--to=tytso@mit.edu \
--cc=bfields@redhat.com \
--cc=ebiederm@xmission.com \
--cc=jlayton@redhat.com \
--cc=jlieb@panasas.com \
--cc=keescook@chromium.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=serge@canonical.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox