From mboxrd@z Thu Jan 1 00:00:00 1970 From: ebiederm@xmission.com (Eric W. Biederman) Subject: Re: RFC: disablenetwork facility. (v4) Date: Tue, 29 Dec 2009 12:40:55 -0800 Message-ID: References: <20091229050114.GC14362@heat> <20091229151146.GA32153@us.ibm.com> <3e8340490912290805s103fb789y13acea4a84669b20@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: Bryan Donlan , "Serge E. Hallyn" , Michael Stone , linux-kernel@vger.kernel.org, netdev@vger.kernel.org, linux-security-module@vger.kernel.org, Andi Kleen , David Lang , Oliver Hartkopp , Alan Cox , Herbert Xu , Valdis Kletnieks , Evgeniy Polyakov , "C. Scott Ananian" , James Morris , Bernie Innocenti , Mark Seaborn , Randy Dunlap , =?iso-8859-1?Q?Am=E9rico?= Wang , Tetsuo Handa , Samir Bellabes , Casey Schaufler , Pavel Machek , Al Viro To: Benny Amorsen Return-path: In-Reply-To: (Benny Amorsen's message of "Tue\, 29 Dec 2009 21\:10\:11 +0100") Sender: linux-security-module-owner@vger.kernel.org List-Id: netdev.vger.kernel.org Benny Amorsen writes: > Bryan Donlan writes: > >> I, for one, think it would be best to handle it exactly like the >> nosuid mount option - that is, pretend the file doesn't have any >> setuid bits set. There's no reason to deny execution; if the process >> would otherwise be able to execute it, it can also copy the file to >> make a non-suid version and execute that instead. > > Execute != read. The executable file may contain secrets which must not > be available to the user running the setuid program. If you fail the > setuid, the user will be able to ptrace() and then the secret is > revealed. > > It's amazing how many security holes appear from what seems like a very > simple request. Do we have a security hole in nosuid mount option? Can someone write a patch to fix it? Eric