This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: [PATCH] Linux: Implement per-thread user and group IDs
- From: Rich Felker <dalias at libc dot org>
- To: libc-alpha at sourceware dot org
- Date: Thu, 4 Jul 2019 17:38:38 -0400
- Subject: Re: [PATCH] Linux: Implement per-thread user and group IDs
- References: <874l49mtgy.fsf@oldenburg2.str.redhat.com>
On Fri, Jun 28, 2019 at 08:54:05PM +0200, Florian Weimer wrote:
> This commit adds the functions pthread_attr_setperthreadids_np and
> pthread_attr_getperthreadids_np. Threads created with the new flag
> will be exempted from the setxid broadcast. setuid and related
> functions will only update the credentials for the current thread.
>
> Multi-threaded file servers typically need this functionality and
> call the system calls directly to implement this.
>From a security standpoint, this is a really bad idea. Given a set of
tasks sharing virtual address space, the individual privilege of each
is effectively the union of the privileges of them all, simply because
each has the capacity to undermine the execution integrity of all the
others.
For fsuid/fsgid, we already have per-thread behavior, and it's
somewhat reasonable because there's an understanding that this is
*not* restricting the privilege of the thread, just performing fs
access "as if" by another user/group (you always have the privilege to
revert fsuid/fsgid changes anyway). The useful part of the new
functionality your patch adds seems to just duplicate this, and the
remainder of the new functionality all seems actively dangerous,
creating a false impression that you can make isolated security
contexts as threads within a process.
Rich