Re: [patch v2] move RLIMIT_NPROC check from set_user() to do_execve_common()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, 26 Jul 2011 18:48:48 +0400 Vasiliy Kulikov <segoon@xxxxxxxxxxxx>
wrote:

> Neil, Solar,
> 
> On Tue, Jul 26, 2011 at 14:11 +1000, NeilBrown wrote:
> > I don't really see that failing mmap is any more hackish than failing execve.
> > 
> > Both are certainly hacks.  It is setuid that should fail, but that is
> > problematic.
> > 
> > We seem to agree that it is acceptable to delay the failure until the process
> > actually tries to run some code for the user.  I just think that
> > mapping-a-file-for-exec is a more direct measure of "trying to run some code
> > for the user" than "execve" is.
> > 
> > So they are both hacks, but one it more thorough than the other.  In the
> > world of security I would hope that "thorough" would win.
> 
> Well, I don't mind against something more generic than the check in
> execve(), however, the usefulness of the check in mmap() is unclear to
> me.  You want to make more programs fail after setuid(), but does mmap
> stops really many programs?  Do you know any program doing mmap/dlopen
> after setuid() call?  What if the program will not do any mmap/dlopen
> and e.g. start to handle network connections or do some computations?
> I suppose the latter case is much more often than mmap/dlopen.

I think I didn't make myself clear.
I don't mean we should intercept the mmap system call.

I mean we could intercept the internal kernel function do_mmap_pgoff.

This is used by the mmap system call but also (and more importantly) by the
execve system call and the uselib system call.

So any attempt to map a file and execute the code in that file - whether via
exec or via mapping a shared object - will go through do_mmap_pgoff.

So if we disable do_mmap_pgoff() requests which ask for execute permission
when a setuid has caused RLIMIT_NPROC to be exceeded, then we catch every
attempt to run the user's code as the user.

I won't catch a situation where an interpreter is already loaded into the
root-owned process and the setuid is followed by loading a script and running
that, it is isn't perfect.  But I think it is more general than just trapping
in execve.

NeilBrown

--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Linux Ext4 Filesystem]     [Union Filesystem]     [Filesystem Testing]     [Ceph Users]     [Ecryptfs]     [AutoFS]     [Kernel Newbies]     [Share Photos]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux Cachefs]     [Reiser Filesystem]     [Linux RAID]     [Samba]     [Device Mapper]     [CEPH Development]
  Powered by Linux