From: Josh Triplett <josh@joshtriplett.org>
To: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Andrew Morton <akpm@linux-foundation.org>,
Kees Cook <keescook@chromium.org>,
mtk.manpages@gmail.com, linux-api@vger.kernel.org,
linux-man@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH 2/2] groups: Allow unprivileged processes to use setgroups to drop groups
Date: Sat, 15 Nov 2014 11:29:25 -0800 [thread overview]
Message-ID: <20141115192924.GB19060@thin> (raw)
In-Reply-To: <87d28osceg.fsf@x220.int.ebiederm.org>
On Sat, Nov 15, 2014 at 09:37:27AM -0600, Eric W. Biederman wrote:
> Josh Triplett <josh@joshtriplett.org> writes:
>
> > Currently, unprivileged processes (without CAP_SETGID) cannot call
> > setgroups at all. In particular, processes with a set of supplementary
> > groups cannot further drop permissions without obtaining elevated
> > permissions first.
> >
> > Allow unprivileged processes to call setgroups with a subset of their
> > current groups; only require CAP_SETGID to add a group the process does
> > not currently have.
>
> A couple of questions.
> - Is there precedence in other unix flavors for this?
I found a few references to now-nonexistent pages at MIT about a system
with this property, but other than that no.
I've also found more than a few references to people wanting this
functionality.
> - What motiviates this change?
I have a series of patches planned to add more ways to drop elevated
privileges without requiring a transition through root to do so. That
would improve the ability for unprivileged users to run programs
sandboxed with even *less* privileges. (Among other things, that would
also allow programs running with no_new_privs to further *reduce* their
privileges, which they can't currently do in this case.)
> - Have you looked to see if anything might for bug compatibilty
> require applications not to be able to drop supplementary groups?
I haven't found any such case; that doesn't mean such a case does not
exist. Feedback welcome.
The only case I can think of (and I don't know of any examples of such a
system): some kind of quota system that limits the members of a group to
a certain amount of storage, but places no such limit on non-members.
However, the idea of *holding* a credential (a supplementary group ID)
giving *less* privileges, and *dropping* a credential giving *more*
privileges, would completely invert normal security models. (The sane
way to design such a system would be to have a privileged group for
"users who can exceed the quota".)
If it turns out that a real case exists that people care about, I could
easily make this configurable, either at compile time or via a sysctl.
- Josh Triplett
next prev parent reply other threads:[~2014-11-15 19:29 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-11-15 9:00 [PATCH 1/2] groups: Factor out a function to set a pre-sorted group list Josh Triplett
2014-11-15 9:01 ` [PATCH 2/2] groups: Allow unprivileged processes to use setgroups to drop groups Josh Triplett
2014-11-15 15:37 ` Eric W. Biederman
2014-11-15 19:29 ` Josh Triplett [this message]
2014-11-15 20:06 ` Andy Lutomirski
2014-11-15 20:20 ` Josh Triplett
2014-11-16 2:05 ` Theodore Ts'o
2014-11-16 2:35 ` Josh Triplett
2014-11-16 3:08 ` Eric W. Biederman
2014-11-16 5:07 ` Josh Triplett
2014-11-16 13:32 ` Theodore Ts'o
2014-11-16 15:42 ` Andy Lutomirski
2014-11-16 19:12 ` Josh Triplett
2014-11-16 19:09 ` Josh Triplett
2014-11-16 3:40 ` Theodore Ts'o
2014-11-16 4:52 ` Josh Triplett
2014-11-17 11:37 ` One Thousand Gnomes
2014-11-17 18:07 ` Andy Lutomirski
2014-11-17 22:11 ` Eric W.Biederman
2014-11-17 22:22 ` Andy Lutomirski
2014-11-17 22:37 ` josh
2014-11-18 0:56 ` Casey Schaufler
2014-11-17 18:06 ` Casey Schaufler
2014-11-17 18:31 ` Andy Lutomirski
2014-11-17 18:46 ` Andy Lutomirski
2014-11-17 18:51 ` Casey Schaufler
2014-11-27 16:59 ` [CFT][PATCH] userns: Avoid problems with negative groups Eric W. Biederman
2014-11-27 20:52 ` Andy Lutomirski
2014-11-28 5:21 ` Eric W. Biederman
2014-11-28 5:22 ` [CFT][PATCH v2] " Eric W. Biederman
2014-11-28 15:11 ` [CFT][PATCH] " Andy Lutomirski
2014-11-28 16:34 ` Eric W. Biederman
2014-11-28 17:11 ` Andy Lutomirski
2014-11-17 22:41 ` [PATCH 2/2] groups: Allow unprivileged processes to use setgroups to drop groups Eric W.Biederman
2014-11-17 22:50 ` Andy Lutomirski
2014-11-17 23:13 ` josh
2014-11-15 9:01 ` [PATCH manpages] getgroups.2: Document unprivileged setgroups calls Josh Triplett
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20141115192924.GB19060@thin \
--to=josh@joshtriplett.org \
--cc=akpm@linux-foundation.org \
--cc=ebiederm@xmission.com \
--cc=keescook@chromium.org \
--cc=linux-api@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-man@vger.kernel.org \
--cc=mtk.manpages@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox