[PATCH] exec: Correct the permission check for unsafe exec
Kees Cook
kees at kernel.org
Thu May 15 22:09:48 UTC 2025
On Thu, May 15, 2025 at 11:24:47AM -0500, Eric W. Biederman wrote:
> I have condensed the logic from Linux-2.4.0-test12 to just:
> id_changed = !uid_eq(new->euid, old->euid) || !in_group_p(new->egid);
>
> This change is userspace visible, but I don't expect anyone to care.
> [...]
> -static inline bool __is_setuid(struct cred *new, const struct cred *old)
> -{ return !uid_eq(new->euid, old->uid); }
> -
> -static inline bool __is_setgid(struct cred *new, const struct cred *old)
> -{ return !gid_eq(new->egid, old->gid); }
> -
> [...]
> - is_setid = __is_setuid(new, old) || __is_setgid(new, old);
> + id_changed = !uid_eq(new->euid, old->euid) || !in_group_p(new->egid);
The core change here is testing for differing euid rather than
mismatched uid/euid. (And checking for egid in the set of all groups.)
Imagined situations:
- setuid process is sharing fs. We already believe this is a non-issue,
as Jann pointed out about Chrome's order of operations, so so changes
here are likely fine.
- somehow ptracing a process with uid!=euid, and it tries to exec a
different setuid==euid ELF. Is switching ELF images a security
boundary? Probably not realistically.
- setuid process sets NNP and execs a setuid==euid ELF, expecting to
have euid stripped. That doesn't happen any more. This is the most
worrisome case, but a program like that should _really_ have dropped
euid first if it is depending on that behavior. Hmmm. Probably some
code searching is needed...
-Kees
--
Kees Cook
More information about the Linux-security-module-archive
mailing list