[Bug nptl/13347] Threaded setuid() can wrongly report success when failing to drop privileges

public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed

From: "carlos_odonell at mentor dot com" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs@sources.redhat.com
Subject: [Bug nptl/13347] Threaded setuid() can wrongly report success when failing to drop privileges
Date: Tue, 24 Jul 2012 18:35:00 -0000	[thread overview]
Message-ID: <bug-13347-131-kF6x2SNWdN@http.sourceware.org/bugzilla/> (raw)
In-Reply-To: <bug-13347-131@http.sourceware.org/bugzilla/>

http://sourceware.org/bugzilla/show_bug.cgi?id=13347

--- Comment #4 from Carlos O'Donell <carlos_odonell at mentor dot com> 2012-07-24 18:35:22 UTC ---
(In reply to comment #3)
> Before I try, I'd like to know what level of quality we're aiming for. The
> difficulty with this issue is that in the case of failure, the process is in an
> inconsistent state (threads do not all have the same uid anymore) and it's
> impossible to back-out the partial change. On Linux, I believe that once at
> least one thread has successfully changed uid, it's impossible for others to
> fail due to ENOMEM (since the same kernelspace privilege object gets used from
> the cache); the only possible failure is due to malicious security modules or
> RLIMIT_NPROC issues on pre-3.1 kernels.
> 
> In musl, I "solved" the issue fully by assuming the above, and refusing to
> setuid at all if the real uid will be changed and we can't temporarily set the
> rlimit to infinity. There's still code that will return an error if some but
> not all threads change uid, but I believe the failure will only happen in the
> real world on the first thread to attempt the change, if any.
> 
> Without that additional workaround (which may be undesirable to some users..?)
> I'm not clear on what setuid should do when some threads succeed and others
> fail. Returning -1 with errno set might imply to the caller that the uid was
> not changed, and some folks I discussed this with in the security field
> recommended that libc should just abort the program rather than return with an
> inconsistent state (different uid in different threads), but from a robustness
> standpoint this is highly undesirable...
> 
> Once there's some agreement on what the policy should be, I can work on a
> patch. Short of that, a patch to at least make it fail with the process in an
> inconsistent state would be better than the current situation (wrongly
> reporting failure).

Answering this question and getting some consensus is part of crafting the
solution. Start by emailing libc-alpha@sourceware.org to get input.

IMO the guiding principle to date has been that we should report failure to the
user and let the user decide what to do. Failing to report a failure is worst
possible defect.

Does that make sense?

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

next prev parent reply	other threads:[~2012-07-24 18:35 UTC|newest]

Thread overview: 23+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-10-26  3:33 [Bug nptl/13347] New: " bugdal at aerifal dot cx
2012-03-17 20:38 ` [Bug nptl/13347] " bugdal at aerifal dot cx
2012-04-29  3:03 ` bugdal at aerifal dot cx
2012-04-29 17:00 ` ppluzhnikov at google dot com
2012-07-24 14:52 ` carlos_odonell at mentor dot com
2012-07-24 14:56 ` fweimer at redhat dot com
2012-07-24 18:15 ` bugdal at aerifal dot cx
2012-07-24 18:35 ` carlos_odonell at mentor dot com [this message]
2012-07-24 23:04 ` bugdal at aerifal dot cx
2012-07-25  2:20 ` carlos_odonell at mentor dot com
2012-12-03 23:57 ` carlos at systemhalted dot org
2014-03-24 13:57 ` fweimer at redhat dot com
2014-03-24 15:19 ` bugdal at aerifal dot cx
2014-03-24 18:32 ` carlos at redhat dot com
2014-04-01 10:13 ` cvs-commit at gcc dot gnu.org
2014-04-01 11:54 ` joseph at codesourcery dot com
2014-04-01 12:21 ` cvs-commit at gcc dot gnu.org
2014-04-01 12:21 ` fweimer at redhat dot com
2014-06-27 11:43 ` fweimer at redhat dot com
2014-06-27 13:15 ` bugdal at aerifal dot cx
2014-07-09 10:26 ` fweimer at redhat dot com
2014-07-22 12:35 ` fweimer at redhat dot com
2014-07-22 12:57 ` bugdal at aerifal dot cx

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=bug-13347-131-kF6x2SNWdN@http.sourceware.org/bugzilla/ \
    --to=sourceware-bugzilla@sourceware.org \
    --cc=glibc-bugs@sources.redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).