diff options
| author | Sergey Bugaev <bugaevc@gmail.com> | 2021-05-29 16:36:53 +0300 |
|---|---|---|
| committer | Samuel Thibault <samuel.thibault@ens-lyon.org> | 2022-08-10 22:14:43 +0200 |
| commit | 3c9f1482b6890cfed89880e728ec6114e37c33d4 (patch) | |
| tree | e2123a981944ae638387df90e0c2696e8ac899a9 /proc/mgt.c | |
| parent | 29e3f1804c28cdcef6d130cf4c426fd40d10197b (diff) | |
| download | hurd-3c9f1482b6890cfed89880e728ec6114e37c33d4.tar.gz hurd-3c9f1482b6890cfed89880e728ec6114e37c33d4.tar.bz2 hurd-3c9f1482b6890cfed89880e728ec6114e37c33d4.zip | |
proc: Use UIDs for evaluating permissions
The previous scheme was to check that PROC1 has the UID that is designated
as PROC2's "owner". This is extremely problematic for several reasons,
including:
* The UIDs and the owner of a process are set separately and can easily get out
of sync. While S_proc_setowner () checks that the new owner is among the UIDs
that the process has, this invariant is violated after the process is given a
new set of UIDs with S_proc_reauthenticate (). In particular, this happens
during execution of a SUID binary: the process is reauthenticated to a
different set of UIDs first, and its owner is udpated later, if at all.
* In the Hurd, a process can have multiple UIDs. Having to designate just one
of them as the owner means the other UIDs get ignored for the purpose of
permission checking. One particularly problematic case is a SUID process that
temporarily lowers its effective UID: glibc sets the first effective UID as
the process owner, giving just about anyone access to the task.
Resolve this by ignoring the owner for the purpose of permission checking, and
relying solely on the authenticated UIDs. Roughly speaking, PROC1 can get
complete access to PROC2 if the UIDs PROC1 has form a superset of the UIDs that
PROC2 has; in other words, the access is only allowed when it would not result
in PROC1 getting access to UIDs it doesn't have already. Of course, root is
still allowed to access any process.
In particular, this means that:
* a process can access another process if they have the same auth;
* a process that has "more auth" can access one that has "less auth", but not
the other way around;
* a SUID-root process that has lowered its effective UIDs can only be accessed
by root.
Another important point here is that the UIDs in question are both effective
and available UIDs that a process has. Normally, available UIDs are ignored for
the purpose of permission checking (and that is their whole point). However,
POSIX description of kill(2) has the following clause:
> For a process to have permission to send a signal to a process designated by
> pid, unless the sending process has appropriate privileges, the real or
> effective user ID of the sending process shall match the real or saved
> set-user-ID of the receiving process.
Which I read as saying that the real (i.e. available) UID(s) of PROC1 should be
used for evaluating whether kill(2) can succeed, not only its effective UID(s).
Diffstat (limited to 'proc/mgt.c')
0 files changed, 0 insertions, 0 deletions