From: Peter Williams <pwil3058@bigpond.net.au>
To: Ingo Molnar <mingo@elte.hu>
Cc: linux-kernel@vger.kernel.org, Andrew Morton <akpm@osdl.org>,
Linus Torvalds <torvalds@osdl.org>,
Alexander Viro <viro@parcelfarce.linux.theplanet.co.uk>,
Alan Cox <alan@lxorguk.ukuu.org.uk>
Subject: Re: [patch] sys_setpriority() euid semantics fix
Date: Wed, 02 Feb 2005 08:46:06 +1100 [thread overview]
Message-ID: <41FFF89E.20708@bigpond.net.au> (raw)
In-Reply-To: <20050201101105.GA28194@elte.hu>
Ingo Molnar wrote:
> * Peter Williams <pwil3058@bigpond.net.au> wrote:
>
>
>>I've just noticed what might be a bug in the original code. Shouldn't
>>the following:
>>
>> if ((current->euid != p->euid) && (current->euid != p->uid) &&
>> !capable(CAP_SYS_NICE))
>>
>>be:
>>
>> if ((current->uid != p->uid) && (current->euid != p->uid) &&
>> !capable(CAP_SYS_NICE))
>>
>>I.e. if the real or effective uid of the task doing the setting is not
>>the same as the uid of the target task it is not allowed to change the
>>target task's policy unless it is specially privileged.
>
>
> no. The original code is quite logical: when doing something to others,
> only the euid is taken into account. When others do something to you,
> both the uid and the euid is checked ('others' might have no idea about
> this task temporarily changing the euid to a less/more privileged uid).
> So sys_setscheduler() [and sys_setaffinity(), which does the same] is
> fine.
I disagree. Logically, the only privileges that should be relevant are
those of the task making the change i.e. those of current. The
effective uid of the target task is irrelevant. If only the effective
uid counts for determining what a task can do then the statement can be
simplified to:
if ((current->euid != p->uid) && !capable(CAP_SYS_NICE))
but I think that this is wrong as having an effective uid that is
different to the real uid doesn't cancel the privileges assoctaied with
the real uid.
The way uid and effective uid effect a task's operations on files are a
guide to their logical application in cases like this.
Since this operation is usually performed by a task on itself it
probably doesn't matter. But when task A is trying to change the policy
of task B then it is the privileges of the task A that count and all
that is relevant about task B is who its real owner is.
For example, if a user A ran a program that was setuid to an
unprivileged user B then A would be unable (from within that program) to
change the policy of any RT tasks that she had running to SCHED_NORMAL
unless those tasks were also setuid to B. I agree that this is a highly
unlikely circumstance but it does serve to illustrate the point w.r.t.
what is logical.
>
> what _is_ inconsistent is kernel/sys.c's setpriority()/set_one_prio().
>
> It checks current->euid|uid against p->uid, which makes little sense,
I think that this is correct.
> but is how we've been doing it ever since. It's a Linux quirk documented
> in the manpage. To make things funnier, SuS requires current->euid|uid
> match against p->euid.
I've just read the man page and I think that the description of what
Linux does (or is supposed to do) is correct/logical and that the other
behaviors described are (very) illogical. In any case, the change that
I suggested will make the behaviour match what the man page says.
>
> The patch below fixes it (and brings the logic in line with what
> setscheduler()/setaffinity() does), but if we do it then it should be
> done only in 2.6.12 or later, after good exposure in -mm.
>
> (Worst-case this could break an application but i highly doubt it: it at
> most could deny renicing another task to positive (or in very rare
> cases, to negative) nice values, which no application should crash on
> something like that, normally.)
Yes, it's fairly benign. Especially as most common use of this would be
tasks calling it on themselves. I'm not going to lose any sleep over it :-)
Peter
--
Peter Williams pwil3058@bigpond.net.au
"Learning, n. The kind of ignorance distinguishing the studious."
-- Ambrose Bierce
next prev parent reply other threads:[~2005-02-01 21:46 UTC|newest]
Thread overview: 198+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-01-19 22:39 [PATCH]sched: Isochronous class v2 for unprivileged soft rt scheduling Con Kolivas
2005-01-20 0:16 ` utz lehmann
2005-01-20 0:33 ` Con Kolivas
2005-01-20 4:26 ` utz lehmann
2005-01-20 5:55 ` Con Kolivas
2005-01-20 17:54 ` Alexander Nyberg
2005-01-20 20:27 ` Con Kolivas
2005-01-20 0:53 ` Con Kolivas
2005-01-20 1:32 ` Jack O'Quin
2005-01-20 2:06 ` Con Kolivas
2005-01-20 2:45 ` Jack O'Quin
2005-01-20 4:07 ` Con Kolivas
2005-01-20 4:57 ` Jack O'Quin
2005-01-20 5:05 ` Gene Heskett
2005-01-20 5:59 ` Con Kolivas
2005-01-20 6:35 ` Con Kolivas
2005-01-20 15:19 ` Jack O'Quin
2005-01-20 15:42 ` Paul Davis
2005-01-20 16:47 ` Jack O'Quin
2005-01-20 17:25 ` Ingo Molnar
2005-01-22 0:09 ` Jack O'Quin
2005-01-22 16:54 ` Ingo Molnar
2005-01-22 21:23 ` Jack O'Quin
2005-01-23 2:06 ` Nick Piggin
2005-01-23 2:58 ` Chris Wright
2005-01-24 8:59 ` Ingo Molnar
2005-01-24 9:55 ` Paolo Ciarrocchi
2005-01-24 10:29 ` Nick Piggin
2005-01-24 10:46 ` Ingo Molnar
2005-01-24 12:58 ` [patch, 2.6.11-rc2] sched: /proc/sys/kernel/rt_cpu_limit tunable Ingo Molnar
2005-01-24 13:34 ` Ingo Molnar
2005-01-24 13:53 ` Con Kolivas
2005-01-24 14:01 ` [ck] " Con Kolivas
[not found] ` <87k6q2umla.fsf@sulphur.joq.us>
2005-01-25 6:28 ` Nick Piggin
2005-01-25 14:12 ` Ingo Molnar
2005-01-25 8:37 ` Ingo Molnar
2005-01-25 21:36 ` Jack O'Quin
2005-01-25 21:49 ` Ingo Molnar
2005-01-25 21:55 ` Chris Wright
2005-01-25 21:57 ` Ingo Molnar
2005-01-25 22:03 ` Chris Wright
2005-01-25 22:08 ` Ingo Molnar
2005-01-25 22:16 ` Chris Wright
2005-01-25 22:44 ` Bill Rugolsky Jr.
2005-01-26 5:12 ` Jack O'Quin
2005-01-26 7:27 ` Ingo Molnar
2005-01-26 11:02 ` [patch, 2.6.11-rc2] sched: RLIMIT_RT_CPU feature, -D7 Ingo Molnar
2005-01-25 13:56 ` [patch, 2.6.11-rc2] sched: RLIMIT_RT_CPU_RATIO feature Ingo Molnar
2005-01-25 14:06 ` Con Kolivas
2005-01-25 22:18 ` Peter Williams
2005-01-25 22:26 ` Peter Williams
2005-01-26 10:08 ` [patch, 2.6.11-rc2] sched: RLIMIT_RT_CPU feature, -D7 Ingo Molnar
2005-01-26 14:22 ` Jack O'Quin
2005-01-26 16:18 ` [ck] " Cal
2005-01-26 16:29 ` Cal
2005-01-26 16:41 ` Jack O'Quin
2005-01-26 17:57 ` Cal
2005-01-26 18:57 ` Jack O'Quin
2005-01-27 2:03 ` Cal
2005-01-27 8:51 ` [patch, 2.6.11-rc2] sched: RLIMIT_RT_CPU feature, -D8 Ingo Molnar
2005-01-27 12:48 ` Cal
2005-01-27 16:31 ` Mike Galbraith
2005-01-26 21:28 ` [patch, 2.6.11-rc2] sched: RLIMIT_RT_CPU feature, -D7 Peter Williams
2005-01-26 21:44 ` Peter Williams
2005-01-26 9:20 ` [patch, 2.6.11-rc2] sched: RLIMIT_RT_CPU_RATIO feature Ingo Molnar
2005-01-31 23:03 ` Peter Williams
2005-02-01 10:11 ` [patch] sys_setpriority() euid semantics fix Ingo Molnar
2005-02-01 21:46 ` Peter Williams [this message]
2005-01-26 5:24 ` [patch, 2.6.11-rc2] sched: RLIMIT_RT_CPU_RATIO feature Jack O'Quin
2005-01-26 7:04 ` Ingo Molnar
2005-01-26 22:27 ` Jack O'Quin
2005-01-26 23:29 ` Nick Piggin
2005-01-27 2:31 ` Jack O'Quin
2005-01-27 3:26 ` Nick Piggin
2005-01-27 5:15 ` Jack O'Quin
2005-01-27 5:54 ` Nick Piggin
2005-01-27 8:35 ` Ingo Molnar
2005-01-27 8:59 ` Ingo Molnar
2005-01-27 11:35 ` Ingo Molnar
2005-02-02 5:10 ` Jack O'Quin
2005-02-02 11:10 ` Bill Huey
2005-02-02 16:44 ` Jack O'Quin
2005-02-02 21:14 ` Bill Huey
2005-02-02 21:20 ` Bill Huey
2005-02-02 21:21 ` Ingo Molnar
2005-02-02 21:34 ` Bill Huey
2005-02-02 22:59 ` Paul Davis
2005-02-03 2:46 ` Bill Huey
2005-02-03 14:20 ` Paul Davis
2005-02-03 20:19 ` Con Kolivas
2005-02-03 20:47 ` Ingo Molnar
2005-02-03 21:15 ` Paul Davis
2005-02-03 21:28 ` Ingo Molnar
2005-02-03 21:41 ` Paul Davis
2005-02-03 21:59 ` Ingo Molnar
2005-02-03 22:24 ` Paul Davis
2005-02-03 22:26 ` Ingo Molnar
2005-02-04 0:36 ` Tristan Wibberley
2005-02-03 21:48 ` Peter Williams
2005-02-04 16:41 ` Jack O'Quin
2005-02-04 21:38 ` Peter Williams
2005-02-03 21:41 ` Ingo Molnar
2005-02-03 23:01 ` Bill Huey
2005-02-11 21:27 ` Lee Revell
2005-02-02 21:54 ` Peter Williams
2005-02-02 23:03 ` Paul Davis
2005-02-02 23:46 ` Peter Williams
2005-02-03 1:13 ` Jack O'Quin
2005-02-03 3:10 ` Peter Williams
2005-02-03 3:56 ` Jack O'Quin
2005-02-03 21:36 ` Ingo Molnar
2005-02-04 0:35 ` Chris Wright
2005-02-04 17:21 ` Jack O'Quin
2005-02-03 2:54 ` Bill Huey
2005-02-03 3:25 ` Peter Williams
2005-02-02 11:37 ` Ingo Molnar
2005-02-02 16:01 ` Jack O'Quin
2005-02-02 18:59 ` Lee Revell
2005-02-02 19:31 ` Jack O'Quin
2005-02-02 20:29 ` Ingo Molnar
2005-02-02 22:45 ` Jack O'Quin
2005-02-02 20:17 ` Ingo Molnar
2005-01-27 20:01 ` Lee Revell
2005-01-28 6:38 ` Ingo Molnar
2005-01-28 8:09 ` Jack O'Quin
2005-01-28 8:08 ` Ingo Molnar
2005-01-28 8:35 ` Jack O'Quin
2005-01-28 8:40 ` Ingo Molnar
2005-01-28 9:01 ` Jack O'Quin
2005-01-28 9:11 ` Ingo Molnar
2005-01-29 0:44 ` Lee Revell
2005-01-28 9:51 ` Mike Galbraith
2005-01-28 22:16 ` Peter Williams
2005-01-28 22:19 ` Ingo Molnar
2005-01-29 7:02 ` Jack O'Quin
2005-01-31 22:29 ` Bill Davidsen
2005-02-01 0:39 ` Bill Huey
2005-01-25 5:16 ` [PATCH]sched: Isochronous class v2 for unprivileged soft rt scheduling Jack O'Quin
2005-01-25 15:09 ` Ingo Molnar
2005-01-23 20:48 ` Jack O'Quin
2005-01-23 22:57 ` Con Kolivas
2005-01-24 1:06 ` Jack O'Quin
2005-01-24 1:09 ` Con Kolivas
2005-01-24 4:45 ` Jack O'Quin
2005-01-24 4:53 ` Jack O'Quin
2005-01-24 6:28 ` Jack O'Quin
2005-01-24 6:35 ` Con Kolivas
2005-01-24 6:57 ` Jack O'Quin
2005-01-24 22:58 ` Con Kolivas
2005-01-25 3:55 ` Con Kolivas
2005-01-25 13:05 ` Con Kolivas
2005-01-25 14:38 ` Con Kolivas
2005-01-25 18:36 ` Jack O'Quin
2005-01-25 20:52 ` Rui Nuno Capela
2005-01-24 21:46 ` Con Kolivas
2005-01-23 7:38 ` Jack O'Quin
2005-01-23 7:41 ` Con Kolivas
2005-01-24 6:30 ` Jack O'Quin
2005-01-24 20:55 ` Ingo Molnar
2005-01-20 21:59 ` Peter Chubb
2005-01-21 0:30 ` Jack O'Quin
2005-01-22 14:06 ` Paul Davis
2005-01-20 17:49 ` ross
2005-01-20 19:07 ` Lee Revell
2005-01-20 23:17 ` Con Kolivas
2005-01-21 7:48 ` Ingo Molnar
2005-02-07 3:09 ` Werner Almesberger
2005-02-07 3:27 ` Jack O'Quin
2005-02-07 3:27 ` Con Kolivas
2005-01-20 9:06 ` Rui Nuno Capela
2005-01-20 17:09 ` Rui Nuno Capela
2005-01-20 19:32 ` Jack O'Quin
2005-01-21 9:18 ` Rui Nuno Capela
2005-01-21 16:23 ` Con Kolivas
2005-01-21 16:40 ` Jack O'Quin
2005-01-22 0:06 ` Con Kolivas
2005-01-22 6:18 ` Jack O'Quin
2005-01-22 6:19 ` Con Kolivas
2005-01-22 6:48 ` Con Kolivas
2005-01-22 6:50 ` Con Kolivas
2005-01-22 7:09 ` Con Kolivas
2005-01-22 20:22 ` Jack O'Quin
2005-01-23 1:02 ` Con Kolivas
2005-01-23 3:02 ` Jack O'Quin
2005-01-23 4:29 ` Con Kolivas
2005-01-23 4:46 ` Jack O'Quin
2005-01-23 4:50 ` Con Kolivas
2005-01-23 7:37 ` Mike Galbraith
2005-01-23 13:57 ` Paul Davis
2005-01-23 1:31 ` Con Kolivas
2005-01-23 1:41 ` Paul Davis
2005-01-23 1:56 ` Con Kolivas
2005-01-23 4:50 ` Jack O'Quin
2005-01-21 23:30 ` utz lehmann
2005-01-21 23:48 ` Con Kolivas
2005-01-22 0:28 ` utz lehmann
2005-01-22 3:52 ` Con Kolivas
2005-01-22 6:15 ` Jack O'Quin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=41FFF89E.20708@bigpond.net.au \
--to=pwil3058@bigpond.net.au \
--cc=akpm@osdl.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@elte.hu \
--cc=torvalds@osdl.org \
--cc=viro@parcelfarce.linux.theplanet.co.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox