Re: Re: [PATCH 1/3] switch_creds: Syscall to switch creds for file server ops

From: Jim Lieb
Date: Wed Oct 16 2013 - 23:36:29 EST


On Thursday, October 17, 2013 02:20:50 Al Viro wrote:
> On Wed, Oct 16, 2013 at 06:18:16PM -0700, Eric W. Biederman wrote:
> > That doesn't look bad but it does need capable(CAP_SETUID) &&
> > capable(CAP_SETGID) or possibly something a little more refined.
>
> D'oh
>
> > I don't think we want file descriptor passing to all of a sudden become
> > a grant of privilege, beyond what the passed fd can do.
>
> Definitely. And an extra ) to make it compile wouldn't hurt either...

Ok, I'll rework this, dropping the void arg etc. How about this:

1. have one arg, the fd, i.e. SYSCALL_DEFINE1(switch_cred, int, fd)

2. if the fd >=0 do the override in my "use the fd" variation. This would do
the capability check after the valid fd check. This means that you must have
privs to mess with privs. Returns 0 or either EBADF or EPERM

3. if the fd == -1 do the revert case. The reason for this is there are 4
syscalls needed to change the creds and each has an error return. We need
a way to escape the damage and a revert to the real creds set is the best way
to return to a known state. This does not require a capability check because
all that can happen is to return to the immutable real set. Also, I don't
need the initial open of /dev/null.

Does this fit?

Jim
--
Jim Lieb
Linux Systems Engineer
Panasas Inc.

"If ease of use was the only requirement, we would all be riding tricycles"
- Douglas Engelbart 1925â2013
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/