[PATCH v2] exec: Correct the permission check for unsafe exec

Kees Cook kees at kernel.org
Tue May 20 22:35:03 UTC 2025


On Tue, May 20, 2025 at 05:13:03PM -0500, Eric W. Biederman wrote:
> Max Kellerman recently experienced a problem[1] when calling exec with
> differing uid and euid's and he triggered the logic that is supposed
> to only handle setuid executables.

Max, can you verify this patch solves your use case?

> [...]
> To minimize behavioural changes the code continues to set secureexec
> when euid != uid or when egid != gid.
> [...]
> @@ -993,7 +987,9 @@ int cap_bprm_creds_from_file(struct linux_binprm *bprm, const struct file *file)
>  		return -EPERM;
>  
>  	/* Check for privilege-elevated exec. */
> -	if (is_setid ||
> +	if (id_changed ||
> +	    !uid_eq(new->euid, old->uid) ||
> +	    !gid_eq(new->egid, old->gid) ||
>  	    (!__is_real(root_uid, new) &&
>  	     (effective ||
>  	      __cap_grew(permitted, ambient, new))))

Great! Thanks for the secureexec tweak here. Jann, does this look
reasonable to you?

-Kees

-- 
Kees Cook



More information about the Linux-security-module-archive mailing list