[PATCH] Error checking for SETXID (bug 13347)
Rich Felker
dalias@aerifal.cx
Mon Mar 24 16:26:00 GMT 2014
On Mon, Mar 24, 2014 at 04:57:23PM +0100, Florian Weimer wrote:
> >I was asking whether there might be a way to setup the
> >conditions prior to making the setuid syscalls such that if the first
> >one succeeds, the subsequent ones cannot fail.
>
> Not in general, no, because the kernel implementation calls into the
> Linux Security Module framework, whose modules typically implement
> additional preconditions we cannot check in glibc due to
> insufficient information.
Yes, I'm well aware of the Linux Insecurity Modules framework. Any
framework that can make standard functions with documented interface
contracts violate their own interface contracts subtracts from the
security of a system rather than adding to it, and I really have no
problem with telling users this if they're running broken Insecurity
Modules.
But back to the topic, I was assuming correct behavior from the
kernel. If the kernel misbehaves, aborting is a perfectly reasonable
response (but if LSM's make the kernel lie, can you even tell if it
misbehaved?).
Rich
More information about the Libc-alpha
mailing list