From: Josh Triplett <josh@joshtriplett.org>
To: "Theodore Ts'o" <tytso@mit.edu>,
Andy Lutomirski <luto@amacapital.net>,
"Eric W. Biederman" <ebiederm@xmission.com>,
Andrew Morton <akpm@linux-foundation.org>,
Kees Cook <keescook@chromium.org>,
Michael Kerrisk-manpages <mtk.manpages@gmail.com>,
Linux API <linux-api@vger.kernel.org>,
linux-man <linux-man@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH 2/2] groups: Allow unprivileged processes to use setgroups to drop groups
Date: Sat, 15 Nov 2014 20:52:32 -0800 [thread overview]
Message-ID: <20141116045232.GB18880@thin> (raw)
In-Reply-To: <20141116034005.GC5507@thunk.org>
On Sat, Nov 15, 2014 at 10:40:06PM -0500, Theodore Ts'o wrote:
> On Sat, Nov 15, 2014 at 06:35:05PM -0800, Josh Triplett wrote:
> > >So arbitrarily anyone to drop groups from their supplemental group
> > >list will result in a change from both existing practice and legacy
> > >Unix systems, and it could potentially lead to a security exposure.
> >
> > As Andy pointed out, you can already do that with a user namespace,
> > for any case not involving a setuid or setgid (or otherwise
> > privilege-gaining) program. And requiring no_new_privs handles
> > that.
>
> Well, it's no worse than what we can do already with the user
> namespace, yes. I'm still worried it's going to come as a surprise
> for some configurations because it's a change from what was allowed
> historically. Then again, pretty much all of the tripwire and rootkit
> scanners won't notice a "setuid" program that uses capabilities
> instead of the traditional setuid bit, and most sysadmins won't think
> to check for an executable with a forced capability mask, so this
> isn't exactly a new problem....
We certainly have introduced orthogonal APIs in various areas before,
such that applications written prior to those APIs may interact
interestingly with them; we don't allow *breaking* those applications,
or introducing security holes, but the existence of applications
designed to block one particular way to do something doesn't
*automatically* rule out the possibility of adding another way to do it.
It does require some careful thought, though.
When we introduced seccomp filters for syscalls, we tied them to
no_new_privs to prevent any possible security holes caused by selective
syscall denial/filtration.
In this case, I'm indifferent about whether unprivileged setgroups works
without no_new_privs; if people are comfortable with that, fine, and if
people would prefer no_new_privs (or for that matter a sysctl, a
compile-time option, or any other means of making the behavior
optional), I can do that too. The security model of "having a group
gives you less privilege than not having it" seems crazy, but
nonetheless I can see a couple of easy ways that we can avoid breaking
that pattern, no_new_privs being one of them. I'd like to make sure
that nobody sees any other real-world corner case that unprivileged
setgroups would break.
- Josh Triplett
next prev parent reply other threads:[~2014-11-16 4:52 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-11-15 9:00 [PATCH 1/2] groups: Factor out a function to set a pre-sorted group list Josh Triplett
2014-11-15 9:01 ` [PATCH 2/2] groups: Allow unprivileged processes to use setgroups to drop groups Josh Triplett
2014-11-15 15:37 ` Eric W. Biederman
2014-11-15 19:29 ` Josh Triplett
2014-11-15 20:06 ` Andy Lutomirski
2014-11-15 20:20 ` Josh Triplett
2014-11-16 2:05 ` Theodore Ts'o
2014-11-16 2:35 ` Josh Triplett
2014-11-16 3:08 ` Eric W. Biederman
2014-11-16 5:07 ` Josh Triplett
2014-11-16 13:32 ` Theodore Ts'o
2014-11-16 15:42 ` Andy Lutomirski
2014-11-16 19:12 ` Josh Triplett
2014-11-16 19:09 ` Josh Triplett
2014-11-16 3:40 ` Theodore Ts'o
2014-11-16 4:52 ` Josh Triplett [this message]
2014-11-17 11:37 ` One Thousand Gnomes
2014-11-17 18:07 ` Andy Lutomirski
2014-11-17 22:11 ` Eric W.Biederman
2014-11-17 22:22 ` Andy Lutomirski
2014-11-17 22:37 ` josh
2014-11-18 0:56 ` Casey Schaufler
2014-11-17 18:06 ` Casey Schaufler
2014-11-17 18:31 ` Andy Lutomirski
2014-11-17 18:46 ` Andy Lutomirski
2014-11-17 18:51 ` Casey Schaufler
2014-11-27 16:59 ` [CFT][PATCH] userns: Avoid problems with negative groups Eric W. Biederman
2014-11-27 20:52 ` Andy Lutomirski
2014-11-28 5:21 ` Eric W. Biederman
2014-11-28 5:22 ` [CFT][PATCH v2] " Eric W. Biederman
2014-11-28 15:11 ` [CFT][PATCH] " Andy Lutomirski
2014-11-28 16:34 ` Eric W. Biederman
2014-11-28 17:11 ` Andy Lutomirski
2014-11-17 22:41 ` [PATCH 2/2] groups: Allow unprivileged processes to use setgroups to drop groups Eric W.Biederman
2014-11-17 22:50 ` Andy Lutomirski
2014-11-17 23:13 ` josh
2014-11-15 9:01 ` [PATCH manpages] getgroups.2: Document unprivileged setgroups calls Josh Triplett
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20141116045232.GB18880@thin \
--to=josh@joshtriplett.org \
--cc=akpm@linux-foundation.org \
--cc=ebiederm@xmission.com \
--cc=keescook@chromium.org \
--cc=linux-api@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-man@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=mtk.manpages@gmail.com \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox