This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: [PATCH] Error checking for SETXID (bug 13347)
- From: Rich Felker <dalias at aerifal dot cx>
- To: Florian Weimer <fweimer at redhat dot com>
- Cc: "Joseph S. Myers" <joseph at codesourcery dot com>, GNU C Library <libc-alpha at sourceware dot org>
- Date: Mon, 24 Mar 2014 12:26:32 -0400
- Subject: Re: [PATCH] Error checking for SETXID (bug 13347)
- Authentication-results: sourceware.org; auth=none
- References: <53304186 dot 4000909 at redhat dot com> <Pine dot LNX dot 4 dot 64 dot 1403241516210 dot 6513 at digraph dot polyomino dot org dot uk> <20140324153224 dot GT26358 at brightrain dot aerifal dot cx> <533052C4 dot 2030702 at redhat dot com> <20140324154958 dot GU26358 at brightrain dot aerifal dot cx> <533055E3 dot 40801 at redhat dot com>
On Mon, Mar 24, 2014 at 04:57:23PM +0100, Florian Weimer wrote:
> >I was asking whether there might be a way to setup the
> >conditions prior to making the setuid syscalls such that if the first
> >one succeeds, the subsequent ones cannot fail.
>
> Not in general, no, because the kernel implementation calls into the
> Linux Security Module framework, whose modules typically implement
> additional preconditions we cannot check in glibc due to
> insufficient information.
Yes, I'm well aware of the Linux Insecurity Modules framework. Any
framework that can make standard functions with documented interface
contracts violate their own interface contracts subtracts from the
security of a system rather than adding to it, and I really have no
problem with telling users this if they're running broken Insecurity
Modules.
But back to the topic, I was assuming correct behavior from the
kernel. If the kernel misbehaves, aborting is a perfectly reasonable
response (but if LSM's make the kernel lie, can you even tell if it
misbehaved?).
Rich