From mboxrd@z Thu Jan 1 00:00:00 1970 From: ebiederm@xmission.com (Eric W. Biederman) Subject: Re: [RFC][PATCH v3] Unprivileged: Disable raising of privileges Date: Thu, 31 Dec 2009 00:57:49 -0800 Message-ID: References: <20091229223631.GB22578@us.ibm.com> <3e8340490912291954v5a837a26p64bd776102d281d7@mail.gmail.com> <3e8340490912292057g3e87eaabn115f85b78af2b08c@mail.gmail.com> <551280e50912300652r1007dee0j8de750bf33af9b3c@mail.gmail.com> <20091230183513.GC14493@us.ibm.com> <20091230201712.GA23999@us.ibm.com> <20091230212931.233003b9@lxorguk.ukuu.org.uk> <20091230230042.5d2e78ac@lxorguk.ukuu.org.uk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: "Serge E. Hallyn" , "Andrew G. Morgan" , Bryan Donlan , Benny Amorsen , Michael Stone , linux-kernel@vger.kernel.org, netdev@vger.kernel.org, linux-security-module@vger.kernel.org, Andi Kleen , David Lang , Oliver Hartkopp , Herbert Xu , Valdis Kletnieks , Evgeniy Polyakov , "C. Scott Ananian" , James Morris , Bernie Innocenti , Mark Seaborn , Randy Dunlap , =?utf-8?Q?Am=C3=A9rico?= Wang , Tetsuo Handa , Samir Bellabes , Casey Schaufler Return-path: In-Reply-To: <20091230230042.5d2e78ac@lxorguk.ukuu.org.uk> (Alan Cox's message of "Wed\, 30 Dec 2009 23\:00\:42 +0000") Sender: linux-security-module-owner@vger.kernel.org List-Id: netdev.vger.kernel.org Alan Cox writes: > On Wed, 30 Dec 2009 13:36:57 -0800 > ebiederm@xmission.com (Eric W. Biederman) wrote: > >> Alan Cox writes: >> >> >> Added bprm->nosuid to make remove the need to add >> >> duplicate error prone checks. This ensures that >> >> the disabling of suid executables is exactly the >> >> same as MNT_NOSUID. >> > >> > Another fine example of why we have security hooks so that we don't get a >> > kernel full of other "random security idea of the day" hacks. >> >> Well it comes from plan 9. Except there they just simply did not >> implement suid. What causes you to think dropping the ability >> to execute suid executables is a random security idea of the day? > > Well to be fair its random regurgitated security idea of every year or > two. > > More to the point - we have security_* hooks so this kind of continuous > security proposal turdstream can stay out of the main part of the kernel. > > Cleaning up the mechanism by which NOSUID is handled in kernel seems a > good idea. Adding wacky new prctls and gunk for it doesn't, and belongs > in whatever security model you are using via the security hooks. I am more than happy to make this a proper system call, instead of a prctl. The way this code is evolving that seems to be the clean way to handle this. No point in hiding the functionality away in a corner in shame. In my book SUID applications are the root of all evil. They are exploitable if you twist their environment in a way they have not hardened themselves against, and simply supporting them prevents a lot of good features from being used by ordinary applications. To get SUID out of my way I have to do something. A disable SUID from this process and it's children is a simple and direct way there. My other path is much more complicated. As this also has security related uses it seems even better as a feature. Eric