From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753659AbcGTODq (ORCPT ); Wed, 20 Jul 2016 10:03:46 -0400 Received: from mail-db5eur01on0103.outbound.protection.outlook.com ([104.47.2.103]:42272 "EHLO EUR01-DB5-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1753222AbcGTODi (ORCPT ); Wed, 20 Jul 2016 10:03:38 -0400 Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=skinsbursky@virtuozzo.com; Reply-To: Subject: Re: [PATCH] prctl: remove one-shot limitation for changing exe link References: <20160712152940.24895.61315.stgit@localhost.localdomain> <20160712164800.GD3661@uranus.lan> <87inwa2406.fsf@x220.int.ebiederm.org> <20160718211155.393aca3c@lxorguk.ukuu.org.uk> To: One Thousand Gnomes , "Eric W. Biederman" CC: Cyrill Gorcunov , , , , , , , , , , , , , , From: Stanislav Kinsburskiy Message-ID: <080e133d-cf73-33bc-a5ef-743384dd9465@virtuozzo.com> Date: Wed, 20 Jul 2016 13:30:25 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Icedove/45.1.0 MIME-Version: 1.0 In-Reply-To: <20160718211155.393aca3c@lxorguk.ukuu.org.uk> Content-Type: text/plain; charset="UTF-8"; format=flowed Content-Transfer-Encoding: 8bit X-Originating-IP: [178.19.210.162] X-ClientProxiedBy: AM2PR09CA0081.eurprd09.prod.outlook.com (10.160.228.177) To DB6PR0801MB1270.eurprd08.prod.outlook.com (10.168.11.12) X-MS-Office365-Filtering-Correlation-Id: 943b66cf-2fe8-4763-ce87-08d3b09142a6 X-Microsoft-Exchange-Diagnostics: 1;DB6PR0801MB1270;2:liqujBOJvec/0WJMkv6AKk1kfEzvugfzWC/GxElgrroZ9EETpMkFYFiykIcRMt8zt23biUcdRS6Fag4IzeDL+Mt8RFUqhaHjYA2VnbEWkkEN3e+SAZ6j3ebHLriT4vJCs7A9D8KvDamxo3yc+XI5SRWTGDyKYzYAmiah8/87Gp+Vsq6cQsu2tcPUEDtIEdyJ;3:nXTWg5ThQIiPC5/0GNxh26RUZf4IjXO2K7wVrQwQuA57jmvmJ8Bm5loK1I/XBf/LDGC7xqsG+b8/PUoohibOTLbNxWj8dkaMX/tiXoFvGDduNH6YJ6QMhJSSkxv/cjWi;25:7pItiNdu5bBUi0fA11EIbZEGCJYid8sgsixa5l80UpeerJzN/6n165EX8AXTfvEEKOx21U2WgLoLW6jV/zmsZdzWyEU2lC9aw3oY4Uk4IZV5D5iLTuhHCxVhDZjPHmb/fjmp4MNU1XyjcN0TBfl/8Avp+6mkHRFuB4PZxvZlg0nYQ57n2MMOb4UB67tP27v6IrlrWn8VMXP/wNb3NnqnP4M3OlkktHtyS3d9acNVSWL7i1gATsM9d1gtDkpBB4ATjP56MoNsQSm5+wGmZq5bTHrhfdJv9X42RGowd3XZ719FpY+ku7+qC0A5kImupyQyujxc8crTDrWkMw5oAnWPcK1Zs5ztJ3M1PCHlbWR269GUxsCEO1UrkD/Hv0RwS8Ew4hFIj4u9Qcd9mSykQJO728DMlQaA/ywgxFNlTZWyqVE= X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:DB6PR0801MB1270; X-Microsoft-Exchange-Diagnostics: 1;DB6PR0801MB1270;31:YdP1F2cTWzLFxahAJYdYwGg94cSGs/pxP3N6rkTrL61wSid/Lb0lNDh+MTx0bdFrsQG0BplZXDG7sux1MrR1OZQoW+qbfxSEN/8gtLOZgqLg6CcM4VWPcWQjie13KHscOvjTsJF6mS9/jefAa9dG2Cmc+zs9iTdRVdsn8RZ3eD2R9s+G79zYOaGsb/ZDXSX/Hoadr3zxMU5QaApIOzvGEQ==;4:c9xaNJyS/WUUlDfBJlVSxDvQXsD1uHVM8VpwLeUZmunRDElmfs/GSFKIGaUwfcsshhHBct3hwFcHUxjylGQ/kgTMo1n7FIywu2MdOvrOo7nLBcRXMpOh8mXumcZZ6c8wQn7Fofz9aAj8owe1tpbk0ADhxFwlbAQ0HnAEUJW1rfukq9QEfHXRGojuBLgO0K2XP6Rm2vKsWDYfmptun13c13zzWKPfKjFOa8TKgHbFhCGXQ+FOcKIlSfZzZiA3glSVcnK24kMfVr+GQRdoSTfGShQ+S2nnzO5I2QjIQ2x3AKntDayZbGJjeSI+zyYkHIUWtBfl7OI7EWtZOfAaVfATVNYS6U393MgSktdEiY8JInXy7QNB7yHaLz6YJaTGDbyiQKheskaAgoZt+OTRof/PsI5E39PzlPQJeSKZmxjQ+RU= X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-Test: UriScan:; X-Exchange-Antispam-Report-CFA-Test: BCL:0;PCL:0;RULEID:(6040130)(601004)(2401047)(5005006)(8121501046)(10201501046)(3002001)(6041072)(6043046);SRVR:DB6PR0801MB1270;BCL:0;PCL:0;RULEID:;SRVR:DB6PR0801MB1270; X-Forefront-PRVS: 000947967F X-Forefront-Antispam-Report: SFV:NSPM;SFS:(10019020)(4630300001)(6049001)(6009001)(7916002)(189002)(199003)(86362001)(81166006)(81156014)(33646002)(305945005)(7736002)(7846002)(106356001)(8666005)(47776003)(107886002)(68736007)(42186005)(31696002)(31686004)(189998001)(93886004)(64126003)(5001770100001)(43066003)(97736004)(50466002)(76176999)(50986999)(3450700001)(23676002)(101416001)(8676002)(105586002)(54356999)(5890100001)(53806999)(4001430100002)(66066001)(2950100001)(77096005)(586003)(36756003)(4001350100001)(4326007)(2870700001)(6116002)(3846002)(2906002)(83506001)(7059030);DIR:OUT;SFP:1102;SCL:1;SRVR:DB6PR0801MB1270;H:[10.1.197.90];FPR:;SPF:None;PTR:InfoNoRecords;MX:1;A:1;LANG:en; X-Microsoft-Exchange-Diagnostics: =?utf-8?B?MTtEQjZQUjA4MDFNQjEyNzA7MjM6eFhFdnJJUjh4VWVYQk5hakVpUTNWOENF?= =?utf-8?B?Q3NkQWpUUXVDOEpudk55SEFqOGNmWHV1MmdXSnhNYk9pRU54SlhBdjkvRVpE?= =?utf-8?B?ekkyR3puZWxKSWI1cVZTdTNxckk3WXN5dkw3R0FRRnMvNVFidHZXZnVBNGNq?= =?utf-8?B?RWo4eFRpeTY1U1JldDFCRXFFYTVPRHVBeGdkcjRSY0xJcFNxYldkcUdvbCta?= =?utf-8?B?VUg3M3lSSUtuZzVPZUd5aWUrNmZKeHA1dVFmRWl2TzBPVkhSenllRFNlWlhZ?= =?utf-8?B?dlh3dW1YTWRqNjhIOGZaT3R6QUlvcVcveDIvZEJHQXA5RmFENVhBVFJXT29i?= =?utf-8?B?OHFSRXlWU1dQV1QyMytyTTY5c0ExYU5laVZjYithbUtyTmd6N0RsQ2orNGY2?= =?utf-8?B?WlorOUkzYTdKelBjWU40WkFjdXdPSSt0bVhrZ1FDUVdUbVhacnZ1WithNUVy?= =?utf-8?B?a3F0MURtVlAzMVpMYUtwMm45OWQ3R3NIOXM2b2lWdTUwWHRxTUp1UVgzR2NI?= =?utf-8?B?RFlNOG83d0RjZGFyNE1mZnl4c1NvT3AwZjh1T2ZCZnNkZkNBdUtGR2IwM0RE?= =?utf-8?B?UzB5Q1UrRkxVTW9TeUsvemE4NU1pTDBEV1E3YXU5ZDNtVi9pUWdZaWdKbU1j?= =?utf-8?B?MFE5bHFVSEw1YmZlMk1ydUhXVENKWHBwbzc3TlZvVTZuMFRYTWNhUWtFUXFr?= =?utf-8?B?ellQK2ErbjYxcHQ3RmhkVitDenk1REdUV2tROERBV0ZoYytkVENGdTJOSi9w?= =?utf-8?B?a2k5THRoSm8xd1hUM2crZWFoYis5R2Q2bkQ2TDNoQWxiUkZEQWNuQnFmc3VJ?= =?utf-8?B?TUNOYS9RTHNwT1RxOU1oZjd4SHBHSmNTRGQwbWNLMU01Q2V2Q09GSGJBQmJJ?= =?utf-8?B?YVpYZENPYUpTQVZRYjRwSFNma0pVbWg1OStkRC91RVpwMU5WNnBUQnl2VUIy?= =?utf-8?B?ZDg5SDhYVUxjRXpIMmNtcjBxNjZ3eGJ4U1VxRCtwc3RUVk50U3ZFOWwvVGpi?= =?utf-8?B?OUNnTWN6Y0h0aG5CWXFEWExzSEJOcHE0SkZRSzgzUi9xWnJ3LzlTdHRodDZX?= =?utf-8?B?R3djMlV5RGtXenBEaWZuMlQ2ZnV0WHMwU0Z0K0FKOG55L2ttRUoyRnNlckd1?= =?utf-8?B?QTBmakVkcG9YVll3TjRDc2NCdDNRc3Q2SDY4dzdaSTVFU0J1N2lmV3dSYjRP?= =?utf-8?B?bnFYbkxQZmZYVSsyL1E1T3g0d3g1SXVhOW9Qbnl0akxSL0lGMlYvMGNVbWRW?= =?utf-8?B?YWV2MVVuc21vcDRPa3NKclJIZjRZaWtua253aEJjbzZCbkxFLzZURUVXQ083?= =?utf-8?B?VXN4S1Z3S3ZSTmx3dXljS2swL210UE4vTmhxci9FQzlFT2phd3ZoS0YwTFd2?= =?utf-8?B?V2tXU3JTM0JNOFZNeXc4TzVpclFCd2pxbDcyMFVxUHlQVWpGWWlmeC80ZC9Z?= =?utf-8?B?Wmw1cUpTYWJRaEl1Rnp5VHdLYmI0ZDQ2NjRTSXhpdnBRdmFpNEpFb2RZYVdW?= =?utf-8?B?UllUR1ozcTJlQkthWXFKZTQwNitUdis0ckl6UDRhaXlTNE5TZ09Ed3hkVVR2?= =?utf-8?B?eUpnNHZJVDNQbTYwUmtoL2N6dE1IaHlNV0dINWR3TWg4eU43Ty9NWHJrWHh0?= =?utf-8?B?eWVUeG0xZFNjclZVQy9YUnNsUFZZUEpzUjYwV0Y4SkIrMjBKd0huRFY5T0M4?= =?utf-8?B?bDBrWnVNQjdERUxtbFlUTTRPWExnc0tBRlpyeUJ4TG9ZQmtWUjhSQnY2em9r?= =?utf-8?B?TWUxRENraGJaVGFVVmV1b3lBPT0=?= X-Microsoft-Exchange-Diagnostics: 1;DB6PR0801MB1270;6:yx1B6D8WgzaI+JgeX8kRe/FxbmYirtrdJhEM08t+Xt/q8O6sdKxu+0bZqOtG3vwfdLlsaK7hNj34+rxIucv8pnJDnXk9JDa+MhyRVwgJSQz979ymowMvKH8NV845swpRZpDIsYVL6Nkwq3JSFbMfo4y8shMaHJ5bI2V+X7ib37znFKuIdSvz1v/sRJpXnvQBWZ6fNT5Lf/tOUftE3/D9mkeSLJGZ4V8yfS7yR/9hav6u0a+czcSS4MQwwNZfg8UT9Ti5gaT4HyP+VYZEc//Us2mnzqbKTJC8I4PYw44X05n5Baf6mamzhTZq+hCz2lyh;5:sKV3y7YWo05cuAEY6LO+qicLiHoFLR7dTUqqfy75JXLm8IQcRG/zfS3EBB0T2R4ygDWadxBeSYLlbex5mFJbxr1sBe7D5rifwzFQmq4F52wyE6D8tJkarLW8L4VqjDJJUk8qJokcn+8xWxUm378Qgw==;24:n/rvWxOND3Tm6C/EY1AtjHQgXvRP0l2S4n8o3o9Uga1s5iC2mNFwx1Sd+m5ViBzJUfcSMRNtjHNKjuG/87fRxoTN3rVUrlxge2xWwNTkEUE=;7:HLrlwxVzG0xpr4p7ZRk+1HjI9hiqq2NgB/rqtkcjILTNJlsKAobRWGdfmM1GYLD9tVxhunGhfgZ3kj4wnaWvO7gIM/0TqUf63q61S7uAF28lYMNfG+6Yh04NhNRyxIxDfvYCCeC93vwBq2/qalAtuWKEm2VKaHrR/VkQtaPhkk9fEC/C1nG4IvPS2WHkOsxAhhw7yRVemDszFppz1/tGuHbLL/4MK7raS0gjfXGLp9oWG6jvA5fN1vLNEeQHmdLt SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-Microsoft-Exchange-Diagnostics: 1;DB6PR0801MB1270;20:FK1+jtWhceKjHFkB5DRh9ESZgM7F3jLb4vhaP6lw9jKdDjRjQZ9htDhDzbcYhXOPz0P2mkHIxHCGiBOQZDL7orIB4Ou3mpIRSkZ8XFx7Z1OqWnc/EIl8TGYe8U1SWJcInY0sICQjTNYZcPdyKTC69u3Ik67WxNohsZOnF4IkAEU= X-OriginatorOrg: virtuozzo.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 20 Jul 2016 11:30:31.6740 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB6PR0801MB1270 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 18.07.2016 22:11, One Thousand Gnomes пишет: >>>> 1) Attach to process via ptrace (protected by CAP_SYS_PTRACE) >>>> 2) Unmap all the process file mappings, related to "exe" file. >>>> 3) Change exe link (protected by CAP_SYS_RESOURCE). >>>> >>>> IOW, some other process already has an access to process internals (and thus >>>> it's already compromised), and can inject fork and use the child of the >>>> compromised program to masquerade. >>>> Which means this limitation doesn't solve the problem it was aimed to. > IFF it is the same uid or root (in which case you already lost). In the > case of cross uid activity this is not true. Could you elaborate on it, please? > Alan