Re: Question regarding blocking set[ug]id on processes including via suid executables

From: Vito Caputo
Date: Tue May 12 2020 - 06:44:10 EST


On Tue, May 12, 2020 at 02:45:24AM -0700, Vito Caputo wrote:
> Hello folks,
>
> I'm curious if someone knows a way to do this using existing linux
> interfaces.
>
> I'd like to create a login lacking the ability to switch uid/gid.
>
> Even if the process has access to suid executables like /bin/su, and
> the user has the root password, I'd like the descendant processes of
> their login to be simply incapable of changing uid/gid, even when it's
> in the form of running a program w/suid bit set on an existing and
> accessible executable in the filesystem. No matter what, it just
> can't happen.
>
> Do we have any such thing today? I'd really like to be able to set
> this on a specific user and all logins of that user are simply stuck
> on that uid no matter what.
>


Basically what I'm looking for is a convention for login-time
application of the PR_SET_NO_NEW_PRIVS prctl, do we have anything
formalized in userspace for this? We've got NoNewPrivileges in
systemd but it's not really user-oriented AFAIK...

Maybe lkml isn't the right place to pose this question, any pointers
appreciated though.

Cheers,
Vito Caputo