On 07/23/2018 01:55 PM, Michael Tirado wrote:
Hey, I'm not seeing much activity on this so here's my $0.02
Unix socket automatically translates pid attached to SCM_CREDENTIALS.
This requires CAP_SYS_ADMIN for sending arbitrary pids and entering
into pid namespace, this expose process and could be insecure.
Perhaps it would be a good idea to add a sysctl switch that prevents
credential spoofing over AF_UNIX \by default\ if that is the main
concern, or is there another concern and I have read this wrong? I'm
having trouble thinking of a legitimate use of SCM_CREDENTIALS
spoofing that isn't in a debugging or troubleshooting context and
would be more comfortable if it were not possible at all... Anyone
know of a program that relies on this spoofing functionality?
If you look at socket(7) under SO_PEERCRED there is a way to get
credentials at time of connect() for an AF_UNIX SOCK_STREAM, or at
time of socketpair() for a SOCK_DGRAM. I would like to think these
credentials are reliable, but will probably require some extra daemon
to proxy a dgram syslog socket.
Thanks for the comments Michael! The usecase we are considering involves
non root monitor process be able to translate the process ID of other
non-root processes under same user within nested PID namespaces. With
SCM_CREDENTIALS method, we require open sockets and connections between
the processes which require PID translation and also CAP_SYS_ADMIN which
is higher than required privilege level for non-root monitor process.
The current patch solves this problem by enabling to open the related
procfs fd when required during PID translation. I believe almost
everyone agreed on this V6 patch but not sure why it is in limbo still.
Thanks,
Nagarathnam.
--
To unsubscribe from this list: send the line "unsubscribe linux-api" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
