From: Igor Lubashev <ilubashe@akamai.com>
To: Serge Hallyn <serge@hallyn.com>, James Morris <jmorris@namei.org>,
<linux-security-module@vger.kernel.org>
Cc: <linux-kernel@vger.kernel.org>, Igor Lubashev <ilubashe@akamai.com>
Subject: [RFC PATCH 0/1] security: add SECURE_KEEP_FSUID to preserve fsuid/fsgid across execve
Date: Thu, 13 Jun 2019 20:44:46 -0400 [thread overview]
Message-ID: <1560473087-27754-1-git-send-email-ilubashe@akamai.com> (raw)
I've posted this in March but received no response. Reposting.
This patch introduces SECURE_KEEP_FSUID to allow fsuid/fsgid to be
preserved across execve. It is currently impossible to execve a
program such that effective and filesystem uid differ.
The need for this functionality arose from a desire to allow certain
non-privileged users to run perf. To do this, we install perf without
set-uid-root and have a set-uid-root wrapper decide who is allowed to
run perf (and with what arguments).
The wrapper must execve perf with real and effective root uid, because
perf and KASLR require this. However, that presently resets fsuid to
root, giving the user ability to read and overwrite any file owned by
root (perf report -i, perf record -o). Also, perf record will create
perf.data that cannot be deleted by the user.
We cannot reset /proc/sys/kernel/perf_event_paranoid to a permissive
level, since we must be selective which users have the permissions.
Of course, we could fix our problem by a patch to perf to allow
passing a username on the command line and having perf execute
setfsuid before opening files. However, perf is not the only program
that uses kernel features that require root uid/euid, so a general
solution that does not involve updating all such programs seems
warranted.
I will update man pages, if this patch is deemed a good idea.
Igor Lubashev (1):
security: add SECURE_KEEP_FSUID to preserve fsuid/fsgid across execve
include/uapi/linux/securebits.h | 10 +++++++++-
security/commoncap.c | 9 +++++++--
2 files changed, 16 insertions(+), 3 deletions(-)
--
2.7.4
next reply other threads:[~2019-06-14 0:46 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-06-14 0:44 Igor Lubashev [this message]
2019-06-14 0:44 ` [RFC PATCH 1/1] security: add SECURE_KEEP_FSUID to preserve fsuid/fsgid across execve Igor Lubashev
2019-06-14 3:38 ` [RFC PATCH 0/1] " James Morris
2019-06-14 5:09 ` James Morris
2019-06-15 1:16 ` Lubashev, Igor
2019-06-15 3:53 ` James Morris
2019-07-03 0:58 ` Lubashev, Igor
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1560473087-27754-1-git-send-email-ilubashe@akamai.com \
--to=ilubashe@akamai.com \
--cc=jmorris@namei.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=serge@hallyn.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.