This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: [PATCH] Linux: Implement per-thread user and group IDs


On Fri, Jun 28, 2019 at 08:54:05PM +0200, Florian Weimer wrote:
> This commit adds the functions pthread_attr_setperthreadids_np and
> pthread_attr_getperthreadids_np.  Threads created with the new flag
> will be exempted from the setxid broadcast.  setuid and related
> functions will only update the credentials for the current thread.
> 
> Multi-threaded file servers typically need this functionality and
> call the system calls directly to implement this.

>From a security standpoint, this is a really bad idea. Given a set of
tasks sharing virtual address space, the individual privilege of each
is effectively the union of the privileges of them all, simply because
each has the capacity to undermine the execution integrity of all the
others.

For fsuid/fsgid, we already have per-thread behavior, and it's
somewhat reasonable because there's an understanding that this is
*not* restricting the privilege of the thread, just performing fs
access "as if" by another user/group (you always have the privilege to
revert fsuid/fsgid changes anyway). The useful part of the new
functionality your patch adds seems to just duplicate this, and the
remainder of the new functionality all seems actively dangerous,
creating a false impression that you can make isolated security
contexts as threads within a process.

Rich


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]