stackoom
  简体   繁体   中英

If a process started from a setuid binary forks, and the child drops privileges, can the child still be trusted?

 原文  2020-01-10 15:28:09       linux/ security/ fork/ setuid

Question

Let's say the following program is executed from a setuid-root binary, by a non-root user:

int main()
{
    if (fork()) {
        /* Parent process */
        int wstatus; wait(&wstatus);
        if (WEXITSTATUS(wstatus) == 0) {
            /* Child process exited with return code indicating success */
            do_something_potentially_dangerous();
            return 0;
        } else {
            /* Child process exited with return code indicating failure */
            puts("Access denied");
            return 1;
        }
    } else {
        /* Child process */
        setuid(getuid());
        /*
        ...
        */
        return do_critical_security_check();  /* let's say this returns 0 if it's safe */
    }
}

A setuid program normally runs with extra security measures that prevent the user who started it from tampering with its (privileged) execution. I can only assume this status is preserved when it forks a child process.

But when the child process drops root privileges, does it also drop any of this protection? Barring a vulnerability in the child process's code, would the unprivileged user be able to interfere with do_critical_security_check() , or otherwise force the child process to return 0 when it shouldn't? (Assume kernel.yama.ptrace_scope is set to 0.)

1 answers

solution1
 1 ACCPTED  2020-01-10 15:35:17

The ptrace man page specifies that it will (my emphasis):

  1. Deny access if neither of the following is true:

    • The real, effective, and saved-set user IDs of the target match the caller's user ID, and the real, effective, and saved-set group IDs of the target match the caller's group ID.

    • The caller has the CAP_SYS_PTRACE capability in the user namespace of the target.

So if there's a saved UID that's not available to the tracer, then the tracing process can't attach and hijack the child to access it.

If the child drops its EUID irrevocably (using setresuid() ), then the tracing process can attach, but there's no saved UID to abuse.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question setuid create one child process Child process ignores SIGQUIT if started from Java Can't detach child process when main process is started from systemd if a process mallocs memory and then forks, will the child process have a proper malloced memory Can't set signal handler for SIGQUIT in child process started from Java Forks and parent child communication Bash wait on child process can return even when child process is still running How do I keep Perl from consuming tons of memory when child forks of a large parent process shut down? Change current directory for child process started with execve() limit number of forks/child procs
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM