Re: [PATCH 2/2] groups: Allow unprivileged processes to use setgroups to drop groups

From: Josh Triplett
Date: Sat Nov 15 2014 - 14:29:41 EST

Next message: Florian Fainelli: "Re: [PATCH] irqchip: bcm7120-l2: fix error handling of irq_of_parse_and_map"
Previous message: Richard Cochran: "Re: [PATCH v4 2/6] input: touchscreen: ti_am335x_tsc: Remove udelay in interrupt handler"
In reply to: Eric W. Biederman: "Re: [PATCH 2/2] groups: Allow unprivileged processes to use setgroups to drop groups"
Next in thread: Andy Lutomirski: "Re: [PATCH 2/2] groups: Allow unprivileged processes to use setgroups to drop groups"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sat, Nov 15, 2014 at 09:37:27AM -0600, Eric W. Biederman wrote:
> Josh Triplett <josh@xxxxxxxxxxxxxxxx> writes:
>
> > Currently, unprivileged processes (without CAP_SETGID) cannot call
> > setgroups at all. In particular, processes with a set of supplementary
> > groups cannot further drop permissions without obtaining elevated
> > permissions first.
> >
> > Allow unprivileged processes to call setgroups with a subset of their
> > current groups; only require CAP_SETGID to add a group the process does
> > not currently have.
>
> A couple of questions.
> - Is there precedence in other unix flavors for this?

I found a few references to now-nonexistent pages at MIT about a system
with this property, but other than that no.

I've also found more than a few references to people wanting this
functionality.

> - What motiviates this change?

I have a series of patches planned to add more ways to drop elevated
privileges without requiring a transition through root to do so. That
would improve the ability for unprivileged users to run programs
sandboxed with even *less* privileges. (Among other things, that would
also allow programs running with no_new_privs to further *reduce* their
privileges, which they can't currently do in this case.)

> - Have you looked to see if anything might for bug compatibilty
> require applications not to be able to drop supplementary groups?

I haven't found any such case; that doesn't mean such a case does not
exist. Feedback welcome.

The only case I can think of (and I don't know of any examples of such a
system): some kind of quota system that limits the members of a group to
a certain amount of storage, but places no such limit on non-members.

However, the idea of *holding* a credential (a supplementary group ID)
giving *less* privileges, and *dropping* a credential giving *more*
privileges, would completely invert normal security models. (The sane
way to design such a system would be to have a privileged group for
"users who can exceed the quota".)

If it turns out that a real case exists that people care about, I could
easily make this configurable, either at compile time or via a sysctl.

- Josh Triplett
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Florian Fainelli: "Re: [PATCH] irqchip: bcm7120-l2: fix error handling of irq_of_parse_and_map"
Previous message: Richard Cochran: "Re: [PATCH v4 2/6] input: touchscreen: ti_am335x_tsc: Remove udelay in interrupt handler"
In reply to: Eric W. Biederman: "Re: [PATCH 2/2] groups: Allow unprivileged processes to use setgroups to drop groups"
Next in thread: Andy Lutomirski: "Re: [PATCH 2/2] groups: Allow unprivileged processes to use setgroups to drop groups"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]