Re: Thoughts on credential switching

From: Florian Weimer
Date: Thu Mar 27 2014 - 09:06:51 EST

Next message: Daniel Borkmann: "Re: [PATCH] random32: avoid attempt to late reseed if in the middle of seeding"
Previous message: Mark Brown: "Re: [PATCH] ASoC: fsl_sai: Add isr to deal with error flag"
In reply to: Jeff Layton: "Re: Thoughts on credential switching"
Next in thread: Boaz Harrosh: "Re: Thoughts on credential switching"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 03/27/2014 02:02 PM, Jeff Layton wrote:

This interface does not address the long-term lack of POSIX
compliance in setuid and friends, which are required to be
process-global and not thread-specific (as they are on the kernel
side).

glibc works around this by reserving a signal and running set*id on
every thread in a special signal handler. This is just crass, and it
is likely impossible to restore the original process state in case of
partial failure. We really need kernel support to perform the
process-wide switch in an all-or-nothing manner.

I disagree. We're treading new ground here with this syscall. It's
not defined by POSIX so we're under no obligation to follow its silly
directives in this regard. Per-process cred switching doesn't really
make much sense in this day and age, IMO. Wasn't part of the spec was
written before threading existed

Okay, then we need to add a separate set of system calls.

I really, really want to get rid of that signal handler mess in glibc, with its partial failures.

The per-process credential switching is pretty universally a pain in
the ass for anyone who wants to write something like a threaded file
server. Jeremy Allison had to jump through some rather major hoops to
work around it for Samba [1]. I think we want to strive to make this a
per-task credential switch and ignore that part of the POSIX spec.

Yeah, I get that, setfsuid/setfsgid already behaves this way.

(Current directory and umask are equally problematic, but it's possible to avoid most issues.)

That said, I think we will need to understand and document what we
expect to occur if someone does this new switch_creds(fd) call and then
subsequently calls something like setuid(), if only to ensure that we
don't get blindsided by it.

Currently, from the kernel perspective, this is not really a problem because the credentials are always per-task. It's just that a conforming user space needs the process-wide credentials.

--
Florian Weimer / Red Hat Product Security Team
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Daniel Borkmann: "Re: [PATCH] random32: avoid attempt to late reseed if in the middle of seeding"
Previous message: Mark Brown: "Re: [PATCH] ASoC: fsl_sai: Add isr to deal with error flag"
In reply to: Jeff Layton: "Re: Thoughts on credential switching"
Next in thread: Boaz Harrosh: "Re: Thoughts on credential switching"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]