From: Peter Williams <pwil3058@bigpond.net.au>
To: Alan Cox <alan@lxorguk.ukuu.org.uk>
Cc: Solar Designer <solar@openwall.com>,
Willy Tarreau <wtarreau@hera.kernel.org>,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH] set*uid() must not fail-and-return on OOM/rlimits
Date: Mon, 21 Aug 2006 10:23:35 +1000 [thread overview]
Message-ID: <44E8FD07.1010104@bigpond.net.au> (raw)
In-Reply-To: <1156114275.4051.71.camel@localhost.localdomain>
Alan Cox wrote:
> Ar Llu, 2006-08-21 am 02:12 +0400, ysgrifennodd Solar Designer:
>> Are you referring to killing of processes on OOM? That was in Linux
>> already, this patch does not introduce it.
>
> (pedantic) Only if you have overcommit disabled.
>
>> As it relates to setuid() in particular, POSIX.1-2001 says:
>>
>> The setuid() function shall fail, return -1, and set errno to the
>> corresponding value if one or more of the following are true:
>>
>> [EINVAL]
>> The value of the uid argument is invalid and not supported by
>> the implementation.
>> [EPERM] The process does not have appropriate privileges and uid does
>> not match the real user ID or the saved set-user-ID.
>>
>> No other error conditions are defined.
>
>> I'd say that the behavior of returning EAGAIN is non-compliant.
>
> You are allowed to return other errors. What you must not do is return a
> different error for the description described in the text as I
> understand it.
>
>> But the kills are needed. They are more correct and safer than
>> returning EAGAIN. An alternative would be to not allocate memory on
>> set*uid() at all - like we did not in older kernels - but that would
>> be an inappropriate behavior change for 2.4.
>
> It is certainly an awkward case to get right when setuid code is not
> being audited but I still think you are chasing the symptom, and its not
> symptom of crap code, so you are not likely to "fix" security. A lot of
> BSD code for example doesn't check malloc returns but you don't want an
> auto-kill if mmap fails ?
>
> The kill has the advantage that it stops the situation but it may also
> be that you kill a program which can handle the case and you create a
> new DoS attack (eg against a daemon switching to your uid). The current
> situation is not good, the updated situation could be far worse.
>
> The message is important, we want to know it happened in the memory
> shortage case anyway.
How about going ahead with the uid change (if the current user is root)
BUT still return -EAGAIN. That way programs that ignore the return
value will at least no longer have root privileges.
Peter
--
Peter Williams pwil3058@bigpond.net.au
"Learning, n. The kind of ignorance distinguishing the studious."
-- Ambrose Bierce
next prev parent reply other threads:[~2006-08-21 0:23 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-08-20 0:38 [PATCH] set*uid() must not fail-and-return on OOM/rlimits Solar Designer
2006-08-20 7:52 ` Kari Hurtta
2006-08-20 18:10 ` Alan Cox
2006-08-21 5:05 ` Kari Hurtta
2006-08-20 8:26 ` Willy Tarreau
2006-08-20 15:25 ` Solar Designer
2006-08-20 10:07 ` Alex Riesen
2006-08-20 15:30 ` Solar Designer
2006-08-20 15:53 ` Arjan van de Ven
2006-08-20 16:17 ` Willy Tarreau
2006-08-20 16:28 ` Ulrich Drepper
2006-08-20 16:45 ` Arjan van de Ven
2006-08-20 16:47 ` Michael Buesch
2006-08-20 16:48 ` Solar Designer
2006-08-20 18:03 ` Alan Cox
2006-08-20 18:10 ` Willy Tarreau
2006-08-20 18:36 ` Alan Cox
2006-08-20 18:21 ` Willy Tarreau
2006-08-20 18:52 ` Alan Cox
2006-08-20 19:01 ` Willy Tarreau
2006-08-20 19:33 ` Alan Cox
2006-08-20 19:17 ` Willy Tarreau
2006-08-20 16:04 ` Florian Weimer
2006-08-20 16:25 ` Solar Designer
2006-08-20 18:14 ` Alan Cox
2006-08-20 22:12 ` Solar Designer
2006-08-20 22:51 ` Alan Cox
2006-08-20 22:58 ` Solar Designer
2006-08-20 23:00 ` Alan Cox
2006-08-21 0:23 ` Peter Williams [this message]
2006-08-21 0:45 ` Solar Designer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=44E8FD07.1010104@bigpond.net.au \
--to=pwil3058@bigpond.net.au \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=linux-kernel@vger.kernel.org \
--cc=solar@openwall.com \
--cc=wtarreau@hera.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox