Re: [RFC][PATCH v3] Unprivileged: Disable raising of privileges

From: Alan Cox
Date: Fri Jan 01 2010 - 09:42:42 EST

Next message: Alan Cox: "Re: [RFC][PATCH v3] Unprivileged: Disable raising of privileges"
Previous message: Pavel Machek: "Re: [PATCH 2/3] Security: Implement disablenetwork semantics. (v4)"
In reply to: Pavel Machek: "Re: [RFC][PATCH v3] Unprivileged: Disable raising of privileges"
Next in thread: Pavel Machek: "Re: [RFC][PATCH v3] Unprivileged: Disable raising of privileges"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> - unprivileged process took action to prevent gaining a capability.
> - exec'd suid sendmail.
> - sendmail took action as root because it could not become someone else.

Which is a classic bug and replicated historically in cpu time, quota and
other similar "remove rights and then .." attacks.

> I would like to trivially stop that entire class of exploit by making
> execing a suid ( or equivalent ) executable impossible.

Fine the LSM modules can already build such policies or you can add a new
LSM for it - it doesn't need whacky one off extensions to prctl.

Of course you could also have an LSM which undoes restrictions on suid
apps instead. Thats an equally valid model, just don't load both at once
and don't assume you have the one true model.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Alan Cox: "Re: [RFC][PATCH v3] Unprivileged: Disable raising of privileges"
Previous message: Pavel Machek: "Re: [PATCH 2/3] Security: Implement disablenetwork semantics. (v4)"
In reply to: Pavel Machek: "Re: [RFC][PATCH v3] Unprivileged: Disable raising of privileges"
Next in thread: Pavel Machek: "Re: [RFC][PATCH v3] Unprivileged: Disable raising of privileges"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]