On Sat, Sep 09, 2006 at 01:01:02AM +0000, David Wagner wrote:
> David Madore wrote:
> >On Fri, Sep 08, 2006 at 12:54:29AM +0200, Pavel Machek wrote:
> >> Alternatively disallow suid/sgid-anything exec
> >> when all "usual" capabilities are not present.
> >
> >This is probably too stringent: remove any trivial capability
> >whatsoever and you lose a rather important ability.
>
> This might not be so terrible. At least, I'm not sure I'd rule it
> out at this point -- it seems like it might be worth considering.
The following patch (follows version 0.4.3 of my main patch) should
make people happy in this respect: it adds a securebit (off by
default) to enable suid non-root execution by underprivileged
processes.
Signed-off-by: David A. Madore <[email protected]>
---
fs/exec.c | 16 ++++++++++++----
include/linux/securebits.h | 9 +++++++++
2 files changed, 21 insertions(+), 4 deletions(-)
diff --git a/fs/exec.c b/fs/exec.c
index 1cb5e34..adf834b 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -44,6 +44,7 @@ #include <linux/proc_fs.h>
#include <linux/ptrace.h>
#include <linux/mount.h>
#include <linux/security.h>
+#include <linux/securebits.h>
#include <linux/syscalls.h>
#include <linux/rmap.h>
#include <linux/acct.h>
@@ -918,6 +919,7 @@ int prepare_binprm(struct linux_binprm *
int mode;
struct inode * inode = bprm->file->f_dentry->d_inode;
int retval;
+ char ok_to_sxid;
mode = inode->i_mode;
if (bprm->file->f_op == NULL)
@@ -928,9 +930,16 @@ int prepare_binprm(struct linux_binprm *
bprm->is_suid = 0;
bprm->is_sgid = 0;
- if(!(bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID)) {
+ ok_to_sxid = capable(CAP_REG_SXID)
+ && !(bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID);
+ if (!cap_issubset(CAP_REGULAR_SET, current->cap_permitted)
+ && !issecure(SECURE_UNDERPRIVILEGED_MAY_SXID)
+ && (issecure(SECURE_NOROOT) || inode->i_uid != 0))
+ ok_to_sxid = 0;
+
+ if (ok_to_sxid) {
/* Set-uid? */
- if (mode & S_ISUID && capable(CAP_REG_SXID)) {
+ if (mode & S_ISUID) {
bprm->is_suid = 1;
current->personality &= ~PER_CLEAR_ON_SETID;
bprm->e_uid = inode->i_uid;
@@ -942,8 +951,7 @@ int prepare_binprm(struct linux_binprm *
* is a candidate for mandatory locking, not a setgid
* executable.
*/
- if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)
- && capable(CAP_REG_SXID)) {
+ if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) {
bprm->is_sgid = 1;
current->personality &= ~PER_CLEAR_ON_SETID;
bprm->e_gid = inode->i_gid;
diff --git a/include/linux/securebits.h b/include/linux/securebits.h
index 5b06178..16e8f3e 100644
--- a/include/linux/securebits.h
+++ b/include/linux/securebits.h
@@ -18,6 +18,15 @@ #define SECURE_NOROOT 0
privileges. When unset, setuid doesn't change privileges. */
#define SECURE_NO_SETUID_FIXUP 2
+/* When set, allow underprivileged processes (= not possessing all
+ "regular" caps) to execute SUID/SGID executables (this is a
+ security issue as such executables might be surprised to run with
+ reduced privileges); if SECURE_NOROOT is _not_ set, this _does not_
+ apply to SUID root processes (they are already made secure by
+ raising all caps). Removing the (regular) CAP_REG_SXID capability
+ also always inhibits any kind of SUID/SGID. */
+#define SECURE_UNDERPRIVILEGED_MAY_SXID 4
+
/* Each securesetting is implemented using two bits. One bit specify
whether the setting is on or off. The other bit specify whether the
setting is fixed or not. A setting which is fixed cannot be changed
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[Index of Archives]
[Kernel Newbies]
[Netfilter]
[Bugtraq]
[Photo]
[Stuff]
[Gimp]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Video 4 Linux]
[Linux for the blind]
[Linux Resources]
