[RFC PATCH 0/1] security: add SECURE_KEEP_FSUID to preserve fsuid/fsgid across execve
James Morris
jmorris at namei.org
Fri Jun 14 05:09:43 UTC 2019
On Thu, 13 Jun 2019, Igor Lubashev wrote:
> I've posted this in March but received no response. Reposting.
>
> This patch introduces SECURE_KEEP_FSUID to allow fsuid/fsgid to be
> preserved across execve. It is currently impossible to execve a
> program such that effective and filesystem uid differ.
>
> The need for this functionality arose from a desire to allow certain
> non-privileged users to run perf. To do this, we install perf without
> set-uid-root and have a set-uid-root wrapper decide who is allowed to
> run perf (and with what arguments).
>
> The wrapper must execve perf with real and effective root uid, because
> perf and KASLR require this. However, that presently resets fsuid to
> root, giving the user ability to read and overwrite any file owned by
> root (perf report -i, perf record -o). Also, perf record will create
> perf.data that cannot be deleted by the user.
>
> We cannot reset /proc/sys/kernel/perf_event_paranoid to a permissive
> level, since we must be selective which users have the permissions.
>
> Of course, we could fix our problem by a patch to perf to allow
> passing a username on the command line and having perf execute
> setfsuid before opening files. However, perf is not the only program
> that uses kernel features that require root uid/euid, so a general
> solution that does not involve updating all such programs seems
> warranted.
This seems like a very specific corner case, depending on fsuid!=0 for an
euid=0 process, along with a whitelist policy for perf arguments. It would
be a great way to escalate to root via a bug in an executed app or via a
wrapper misconfiguration.
It also adds complexity to kernel credential handling -- it's yet another
thing to consider when trying to reason about this.
Have you considered the example security configuration in
Documentation/admin-guide/perf-security.rst ?
What are some other examples of programs that could utilize this scheme?
--
James Morris
<jmorris at namei.org>
More information about the Linux-security-module-archive
mailing list