From mboxrd@z Thu Jan 1 00:00:00 1970 From: Bryan Donlan Subject: Re: RFC: disablenetwork facility. (v4) Date: Tue, 29 Dec 2009 15:43:52 -0500 Message-ID: <3e8340490912291243q7ba43fd9v266835ebbda9315b@mail.gmail.com> References: <20091229050114.GC14362@heat> <20091229151146.GA32153@us.ibm.com> <3e8340490912290805s103fb789y13acea4a84669b20@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Cc: Benny Amorsen , "Serge E. Hallyn" , Michael Stone , linux-kernel@vger.kernel.org, netdev@vger.kernel.org, linux-security-module@vger.kernel.org, Andi Kleen , David Lang , Oliver Hartkopp , Alan Cox , Herbert Xu , Valdis Kletnieks , Evgeniy Polyakov , "C. Scott Ananian" , James Morris , Bernie Innocenti , Mark Seaborn , Randy Dunlap , =?ISO-8859-1?Q?Am=E9rico_Wang?= , Tetsuo Handa , Samir Bellabes , Casey Schaufler , Pavel Machek , To: "Eric W. Biederman" Return-path: In-Reply-To: Sender: linux-kernel-owner@vger.kernel.org List-Id: netdev.vger.kernel.org On Tue, Dec 29, 2009 at 3:40 PM, Eric W. Biederman wrote: > Benny Amorsen writes: > >> Bryan Donlan writes: >> >>> I, for one, think it would be best to handle it exactly like the >>> nosuid mount option - that is, pretend the file doesn't have any >>> setuid bits set. There's no reason to deny execution; if the process >>> would otherwise be able to execute it, it can also copy the file to >>> make a non-suid version and execute that instead. >> >> Execute != read. The executable file may contain secrets which must not >> be available to the user running the setuid program. If you fail the >> setuid, the user will be able to ptrace() and then the secret is >> revealed. >> >> It's amazing how many security holes appear from what seems like a very >> simple request. > > Do we have a security hole in nosuid mount option? Looks like it: $ /tmp/m/sudo sudo: must be setuid root $ ls -l /tmp/m/sudo -rwsr-x--x 1 root root 123448 2009-06-22 12:14 /tmp/m/sudo