All of lore.kernel.org
 help / color / mirror / Atom feed
From: Chen Gang <gang.chen@asianux.com>
To: "Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com>
Cc: Andy Lutomirski <luto@amacapital.net>,
	Oleg Nesterov <oleg@redhat.com>,
	Kees Cook <keescook@chromium.org>,
	Al Viro <viro@zeniv.linux.org.uk>,
	holt@sgi.com, Andrew Morton <akpm@linux-foundation.org>,
	"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH 1/2] kernel/sys.c: return the current gid when error occurs
Date: Fri, 09 Aug 2013 08:55:55 +0800	[thread overview]
Message-ID: <52043E1B.4060803@asianux.com> (raw)
In-Reply-To: <5203A2A4.7030402@gmail.com>

On 08/08/2013 09:52 PM, Michael Kerrisk (man-pages) wrote:
> On 08/08/13 03:48, Chen Gang wrote:
>> On 08/08/2013 09:35 AM, Andy Lutomirski wrote:
>>> On Wed, Aug 7, 2013 at 6:30 PM, Chen Gang <gang.chen@asianux.com> wrote:
>>>> On 08/08/2013 12:58 AM, Andy Lutomirski wrote:
>>>>> On Wed, Aug 7, 2013 at 9:21 AM, Oleg Nesterov <oleg@redhat.com> wrote:
>>>>>> On 08/06, Andy Lutomirski wrote:
>>>>>>>
>>>>>>> I assume that what the man page means is that the return value is
>>>>>>> whatever fsgid was prior to the call.  On error, fsgid isn't changed, so
>>>>>>> the return value is still "current".
>>>>>>
>>>>>> Probably... Still
>>>>>>
>>>>>>         On success, the previous value of fsuid is returned.
>>>>>>         On error, the current value of fsuid is returned.
>>>>>>
>>>>>> looks confusing. sys_setfsuid() always returns the old value.
>>>>>>
>>>>>>> (FWIW, this behavior is awful and is probably the cause of a security
>>>>>>> bug or three, since success and failure are indistinguishable.
>>>>>>
>>>>>> At least this all looks strange.
>>>>>>
>>>>>> I dunno if we can change this old behaviour. I won't be surprized
>>>>>> if someone already uses setfsuid(-1) as getfsuid().
>>>>>
>>>>
>>>> Oh, really it is.
>>>>
>>>> Hmm... as a pair function, we need add getfsuid() too, if we do not add
>>>> it, it will make negative effect with setfsuid().
>>>>
>>>> Since it is a system call, we have to keep compitable.
>>>>
>>>> So in my opinion, better add getfsuid2()/setfsuid2() instead of current
>>>> setfsuid()
>>>
>>> How about getfsuid() and setfsuid2()?
>>>
>>
>> Hmm... I have 2 reasons, please check.
>>
>> 1st reason: I checked history (just like Kees Cook suggested),
>> getfsuid() is mentioned before (you can google to find it), so need use
>> getfsuid2() to bypass the history complex.
>>
>> And 2nd reason: getfsuid() seems more like the pair of setfsuid(), not
>> for setfsuid2().
> 
> Time to apply the brakes... *Why* add new system calls here? I don't 
> think there is any good reason. Yes, the existing APIs are rubbish,
> but, as far as I can tell, they are also obsolete and unneeded.
> The fsuid/fsgid mechanism was a bizarre Linuxism whose only purpose
> was (as far as I know), to allow for the fact that Linux long ago
> applied nonstandard rules when determining when one process could 
> send signals to another. Quoting some book on the subject:
> 
>     Why does Linux provide the file-system IDs and in what 
>     circumstances would we want the effective and file-system 
>     IDs to differ? The reasons are primarily historical.
>     The file-system IDs first appeared in Linux 1.2. In 
>     that kernel version, one process could send a signal to 
>     another if the effective user ID of the sender matched
>     the real or effective user ID of the target process. 
>     This affected certain programs such as the Linux NFS 
>     (Network File System) server program, which needed to be
>     able to access files as though it had the effective IDs 
>     of the corresponding client process. However, if the NFS 
>     server changed its effective user ID, it would be 
>     vulnerable to signals from unprivileged user processes. 
>     To prevent this possibility, the separate file-system user
>     and group IDs were devised. By leaving its effective IDs
>     unchanged, but changing its file-system IDs, the NFS 
>     server could masquerade as another user for the purpose of 
>     accessing files without being vulnerable to signals from
>     user processes.
> 
>     From kernel 2.0 onward, Linux adopted the SUSv3-mandated 
>     rules regarding permission for sending signals, and these 
>     rules don't involve the effective user ID of the target
>     process. Thus, the file-system ID feature is no longer 
>     strictly necessary (a process can nowadays achieve the 
>     desired results by making judicious use of the system
>     calls described later in this chapter to change
>     the value of the effective user ID to and from an
>     unprivileged value, as required), but it remains for
>     compatibility with existing software.
> 
> So, I don't think anything needs fixing: there should be no 
> new users of these system calls anyway.
> 

OK, thank you for your details, at least for me, what you says above
sounds reasonable.

> Cheers,
> 
> Michael
> 
> 

Thanks.
-- 
Chen Gang

  reply	other threads:[~2013-08-09  0:57 UTC|newest]

Thread overview: 26+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-08-06  8:00 [PATCH 0/2] kernel/sys.c: for setfsgid(), return the current gid when error occurs Chen Gang
2013-08-06  8:01 ` [PATCH 1/2] kernel/sys.c: " Chen Gang
2013-08-06 20:21   ` Andy Lutomirski
2013-08-07  3:30     ` Chen Gang
2013-08-07 16:21     ` Oleg Nesterov
2013-08-07 16:58       ` Andy Lutomirski
2013-08-08  1:30         ` Chen Gang
2013-08-08  1:35           ` Andy Lutomirski
2013-08-08  1:48             ` Chen Gang
2013-08-08 13:52               ` Michael Kerrisk (man-pages)
2013-08-09  0:55                 ` Chen Gang [this message]
2013-08-08 13:37       ` Michael Kerrisk (man-pages)
2013-08-09  0:59         ` Chen Gang
2013-08-09  7:27           ` Michael Kerrisk (man-pages)
2013-08-06  8:02 ` [PATCH 2/2] kernel/sys.c: remove useless variable 'old_fsgid' for setfsgid() Chen Gang
2013-08-06  8:56   ` Chen Gang
2013-08-06  8:13 ` kernel/sys.c: for setfsuid(), return the current uid when error occurs Chen Gang
2013-08-06  8:14   ` Chen Gang
2013-08-06  8:15   ` [PATCH 0/2] " Chen Gang
2013-08-06  8:15     ` [PATCH 1/2] kernel/sys.c: " Chen Gang
2013-08-06  8:16     ` [PATCH 2/2] kernel/sys.c: remove useless variable 'old_fsuid' for setfsuid() Chen Gang
2013-08-06  8:55       ` Chen Gang
2013-08-06  8:43     ` [PATCH] kernel/sys.c: improve the usage of return value Chen Gang
2013-08-07 10:44       ` Chen Gang
2013-08-06 18:36 ` [PATCH 0/2] kernel/sys.c: for setfsgid(), return the current gid when error occurs Kees Cook
2013-08-07  2:25   ` Chen Gang

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=52043E1B.4060803@asianux.com \
    --to=gang.chen@asianux.com \
    --cc=akpm@linux-foundation.org \
    --cc=holt@sgi.com \
    --cc=keescook@chromium.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=luto@amacapital.net \
    --cc=mtk.manpages@gmail.com \
    --cc=oleg@redhat.com \
    --cc=viro@zeniv.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.