On Thu, Nov 17, 2016 at 3:55 PM, Eric W. Biederman <ebiederm@xxxxxxxxxxxx> wrote: > Andy Lutomirski <luto@xxxxxxxxxxxxxx> writes: > >> On Thu, Nov 17, 2016 at 9:08 AM, Eric W. Biederman >> <ebiederm@xxxxxxxxxxxx> wrote: >>> >>> It is the reasonable expectation that if an executable file is not >>> readable there will be no way for a user without special privileges to >>> read the file. This is enforced in ptrace_attach but if we are >>> already attached there is no enforcement if a readonly executable >>> is exec'd. >>> >>> Therefore do the simple thing and if there is a non-dumpable >>> executable that we are tracing without privilege fail to exec it. >>> >>> Fixes: v1.0 >>> Cc: stable@xxxxxxxxxxxxxxx >>> Reported-by: Andy Lutomirski <luto@xxxxxxxxxxxxxx> >>> Signed-off-by: "Eric W. Biederman" <ebiederm@xxxxxxxxxxxx> >>> --- >>> fs/exec.c | 8 +++++++- >>> 1 file changed, 7 insertions(+), 1 deletion(-) >>> >>> diff --git a/fs/exec.c b/fs/exec.c >>> index fdec760bfac3..de107f74e055 100644 >>> --- a/fs/exec.c >>> +++ b/fs/exec.c >>> @@ -1230,6 +1230,11 @@ int flush_old_exec(struct linux_binprm * bprm) >>> { >>> int retval; >>> >>> + /* Fail if the tracer can't read the executable */ >>> + if ((bprm->interp_flags & BINPRM_FLAGS_ENFORCE_NONDUMP) && >>> + !ptracer_capable(current, bprm->mm->user_ns)) >>> + return -EPERM; >>> + >> >> At the very least, I think that BINPRM_FLAGS_ENFORCE_NONDUMP needs to >> check capable_wrt_inode_uidgid too. Otherwise we risk breaking: >> >> $ gcc whatever.c >> $ chmod 400 a.out >> $ strace a.out > > It is an invariant that if you have caps in mm->user_ns you will > also be capable_write_inode_uidgid of all files that a process exec's. I meant to check whether you *are* the owner, too. > > My third patch winds up changing mm->user_ns to maintain this invariant. > > It is also true that Willy convinced me while this check is trivial it > will break historic uses so I have replaced this patch with: > "ptrace: Don't allow accessing an undumpable mm. I think that's better. > > Eric > > -- Andy Lutomirski AMA Capital Management, LLC -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html