Re: Question regarding blocking set[ug]id on processes including via suid executables

From: Vito Caputo
Date: Tue May 12 2020 - 07:30:36 EST


On Tue, May 12, 2020 at 03:44:08AM -0700, Vito Caputo wrote:
> On Tue, May 12, 2020 at 02:45:24AM -0700, Vito Caputo wrote:
> > Hello folks,
> >
> > I'm curious if someone knows a way to do this using existing linux
> > interfaces.
> >
> > I'd like to create a login lacking the ability to switch uid/gid.
> >
> > Even if the process has access to suid executables like /bin/su, and
> > the user has the root password, I'd like the descendant processes of
> > their login to be simply incapable of changing uid/gid, even when it's
> > in the form of running a program w/suid bit set on an existing and
> > accessible executable in the filesystem. No matter what, it just
> > can't happen.
> >
> > Do we have any such thing today? I'd really like to be able to set
> > this on a specific user and all logins of that user are simply stuck
> > on that uid no matter what.
> >
>
>
> Basically what I'm looking for is a convention for login-time
> application of the PR_SET_NO_NEW_PRIVS prctl, do we have anything
> formalized in userspace for this? We've got NoNewPrivileges in
> systemd but it's not really user-oriented AFAIK...
>
> Maybe lkml isn't the right place to pose this question, any pointers
> appreciated though.
>

For posterity and comment if interested, PAM seems like a reasonable
integration point for this but I don't see any existing support
currently:

https://github.com/linux-pam/linux-pam/issues/224

I'll quit talking to myself on lkml and head to sleep now :)

Regards,
Vito Caputo