On 03/27/2014 01:23 AM, Andy Lutomirski wrote:
I propose the following set of new syscalls: int credfd_create(unsigned int flags): returns a new credfd that corresponds to current's creds. int credfd_activate(int fd, unsigned int flags): Change current's creds to match the creds stored in fd. To be clear, this changes both the "subjective" and "objective" (aka real_cred and cred) because there aren't any real semantics for what happens when userspace code runs with real_cred != cred.
This interface does not address the long-term lack of POSIX compliance in setuid and friends, which are required to be process-global and not thread-specific (as they are on the kernel side).
glibc works around this by reserving a signal and running set*id on every thread in a special signal handler. This is just crass, and it is likely impossible to restore the original process state in case of partial failure. We really need kernel support to perform the process-wide switch in an all-or-nothing manner.
-- Florian Weimer / Red Hat Product Security Team -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
