On Wed, Nov 04, 2015 at 09:59:55AM -0800, Andy Lutomirski wrote: > On Tue, Nov 3, 2015 at 10:58 PM, Willy Tarreau <w@xxxxxx> wrote: > > On Tue, Nov 03, 2015 at 03:29:55PM -0800, Kees Cook wrote: > >> Using "write" does kill the set-gid bit. I haven't looked at > >> why. > >> Al or anyone else, is there a meaningful distinction here? > > > > I remember this one, I got caught once while trying to put a shell into > > a suid-writable file to get some privileges someone forgot to offer me :-) > > > > It's done by should_remove_suid() which is called upon write() and truncate(). > > > >> Should the > >> mmap MAP_SHARED-write trigger the loss of the set-gid bit too? While > >> holding the file open with either open or mmap, I get a Text-in-use > >> error, so I would kind of expect the same behavior between either > >> close() and munmap(). I wonder if this is a bug, and if so, then your > >> link patch is indeed useful again. :) > > > > I don't see how this could be done with mmap(). Maybe we have a way to know > > when the first write is performed via this path, I have no idea. > > do_wp_page might be a decent bet. Yep probably at the same place where we update the file's time ? That said I never feel completely comfortable with changing a file's permissions this way, I always fear it could break backup/restore applications. Let's imagine for a minute that a restore does this : extract(const char *file_name, int file_perms) { fd = open(".tmpfile", O_CREAT, file_perms); mmap(fd); /* actually write file */ close(fd); unlink(real_file_name); rename(".tmpfile", file_name); } Yes I know it's not safe to do the chmod before writing to the file but we could imagine some situations where it makes sense to be done this way (eg: if the file is put into a protected directory), and anyway this possibility is provided by open() and creat() so it is legitimate to imagine these ones could exist. Such a change would slightly modify semantics and affect such use cases *if they exist*, just like using write() instead of mmap() would fail. We could imagine having a sysctl to disable this strengthening, but it is probably not the best solution for the long term either. Just my two cents, Willy -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html