From: Bernd Edlinger <bernd.edlinger@hotmail.de>
To: Al Viro <viro@zeniv.linux.org.uk>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>,
Roberto Sassu <roberto.sassu@huaweicloud.com>,
Alexey Dobriyan <adobriyan@gmail.com>,
Oleg Nesterov <oleg@redhat.com>, Kees Cook <kees@kernel.org>,
Andy Lutomirski <luto@amacapital.net>,
Will Drewry <wad@chromium.org>,
Christian Brauner <brauner@kernel.org>,
Andrew Morton <akpm@linux-foundation.org>,
Michal Hocko <mhocko@suse.com>, Serge Hallyn <serge@hallyn.com>,
James Morris <jamorris@linux.microsoft.com>,
Randy Dunlap <rdunlap@infradead.org>,
Suren Baghdasaryan <surenb@google.com>,
Yafang Shao <laoar.shao@gmail.com>, Helge Deller <deller@gmx.de>,
Adrian Reber <areber@redhat.com>,
Thomas Gleixner <tglx@linutronix.de>,
Jens Axboe <axboe@kernel.dk>, Alexei Starovoitov <ast@kernel.org>,
"linux-fsdevel@vger.kernel.org" <linux-fsdevel@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
linux-kselftest@vger.kernel.org, linux-mm@kvack.org,
linux-security-module@vger.kernel.org,
tiozhang <tiozhang@didiglobal.com>,
Luis Chamberlain <mcgrof@kernel.org>,
"Paulo Alcantara (SUSE)" <pc@manguebit.com>,
Sergey Senozhatsky <senozhatsky@chromium.org>,
Frederic Weisbecker <frederic@kernel.org>,
YueHaibing <yuehaibing@huawei.com>,
Paul Moore <paul@paul-moore.com>,
Aleksa Sarai <cyphar@cyphar.com>,
Stefan Roesch <shr@devkernel.io>, Chao Yu <chao@kernel.org>,
xu xin <xu.xin16@zte.com.cn>, Jeff Layton <jlayton@kernel.org>,
Jan Kara <jack@suse.cz>, David Hildenbrand <david@redhat.com>,
Dave Chinner <dchinner@redhat.com>, Shuah Khan <shuah@kernel.org>,
Elena Reshetova <elena.reshetova@intel.com>,
David Windsor <dwindsor@gmail.com>,
Mateusz Guzik <mjguzik@gmail.com>,
Ard Biesheuvel <ardb@kernel.org>,
"Joel Fernandes (Google)" <joel@joelfernandes.org>,
"Matthew Wilcox (Oracle)" <willy@infradead.org>,
Hans Liljestrand <ishkamiel@gmail.com>,
Penglei Jiang <superman.xpt@gmail.com>,
Lorenzo Stoakes <lorenzo.stoakes@oracle.com>,
Adrian Ratiu <adrian.ratiu@collabora.com>,
Ingo Molnar <mingo@kernel.org>,
"Peter Zijlstra (Intel)" <peterz@infradead.org>,
Cyrill Gorcunov <gorcunov@gmail.com>,
Eric Dumazet <edumazet@google.com>,
zohar@linux.ibm.com, linux-integrity@vger.kernel.org,
Ryan Lee <ryan.lee@canonical.com>,
apparmor <apparmor@lists.ubuntu.com>
Subject: Re: Are setuid shell scripts safe? (Implied by security_bprm_creds_for_exec)
Date: Thu, 4 Dec 2025 14:03:27 +0100 [thread overview]
Message-ID: <GV2PPF74270EBEE0AAAE2EB22B668EE21A7E4A6A@GV2PPF74270EBEE.EURP195.PROD.OUTLOOK.COM> (raw)
In-Reply-To: <20251204054915.GI1712166@ZenIV>
On 12/4/25 06:49, Al Viro wrote:
> On Wed, Dec 03, 2025 at 02:16:29PM +0100, Bernd Edlinger wrote:
>
>> Hmm, yes, that looks like an issue.
>>
>> I would have expected the security engine to look at bprm->filenanme
>> especially in the case, when bprm->interp != bprm->filename,
>> and check that it is not a sym-link with write-access for the
>> current user and of course also that the bprm->file is not a regular file
>> which is writable by the current user, if that is the case I would have expected
>> the secuity engine to enforce non-new-privs on a SUID executable somehow.
>
> Check that _what_ is not a symlink? And while we are at it, what do write
> permissions to any symlinks have to do with anything whatsoever?
When we execve a normal executable, we do open the binary file with deny_write_access
so this might allow the security engine to inspaect the binary, before it is used.
However this behavior has changed recently, now it has some exceptions, where even
this behavior is no longer guaranteed for binary executables, due to
commit 0357ef03c94ef835bd44a0658b8edb672a9dbf51, but why? I have no idea...
But with shell scripts an attack is possible, where a sym-link is executed,
and the SUID bit of the target file is used but a race condition might allow
the attacker to replace the script that is used by the shell:
Consider this:
ln -s /usr/bin/legitimate-suid-sctipt.sh
where legitimate-suid-sctipt.sh starts with "#! /bin/bash -"
and the attack works this way:
./legitmate-suid-script.sh &
ln -f -s do-what-i-want.sh legitimate-suid-script.sh
Bernd.
next prev parent reply other threads:[~2025-12-04 13:03 UTC|newest]
Thread overview: 68+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <AM8PR10MB470801D01A0CF24BC32C25E7E40E9@AM8PR10MB4708.EURPRD10.PROD.OUTLOOK.COM>
[not found] ` <AM8PR10MB470875B22B4C08BEAEC3F77FE4169@AM8PR10MB4708.EURPRD10.PROD.OUTLOOK.COM>
2023-10-30 5:20 ` [PATCH v12] exec: Fix dead-lock in de_thread with ptrace_attach Bernd Edlinger
2023-10-30 9:00 ` kernel test robot
[not found] ` <AS8P193MB12851AC1F862B97FCE9B3F4FE4AAA@AS8P193MB1285.EURP193.PROD.OUTLOOK.COM>
2024-01-15 19:22 ` [PATCH v14] " Bernd Edlinger
2024-01-15 19:37 ` Matthew Wilcox
2024-01-17 9:51 ` Bernd Edlinger
2024-01-16 15:22 ` Oleg Nesterov
2024-01-17 15:07 ` Bernd Edlinger
2024-01-17 16:38 ` Oleg Nesterov
2024-01-22 13:24 ` Bernd Edlinger
2024-01-22 13:44 ` Oleg Nesterov
2024-01-22 21:30 ` Kees Cook
2024-01-23 18:30 ` Bernd Edlinger
2024-01-24 0:09 ` Kees Cook
[not found] ` <AS8P193MB1285937F9831CECAF2A9EEE2E4752@AS8P193MB1285.EURP193.PROD.OUTLOOK.COM>
2025-08-18 6:04 ` [PATCH v15] " Jain, Ayush
2025-08-18 20:53 ` [PATCH v16] " Bernd Edlinger
2025-08-19 4:36 ` Kees Cook
2025-08-19 18:53 ` Bernd Edlinger
2025-08-21 17:34 ` [PATCH v17] " Bernd Edlinger
2025-10-27 6:26 ` Bernd Edlinger
2025-10-27 12:06 ` Peter Zijlstra
2025-11-02 16:17 ` Oleg Nesterov
2025-11-05 14:32 ` Oleg Nesterov
2025-11-11 9:21 ` Christian Brauner
2025-11-11 11:07 ` Bernd Edlinger
2025-11-11 13:12 ` Oleg Nesterov
2025-11-11 13:45 ` Bernd Edlinger
2025-11-12 9:52 ` Oleg Nesterov
2025-11-17 6:31 ` Bernd Edlinger
2025-11-17 15:01 ` Oleg Nesterov
2025-11-17 20:08 ` Bernd Edlinger
2025-11-23 18:32 ` Oleg Nesterov
2025-11-29 15:06 ` Bernd Edlinger
2025-12-01 15:13 ` Oleg Nesterov
2025-11-09 17:14 ` [RFC PATCH 0/3] mt-exec: fix deadlock with ptrace_attach() Oleg Nesterov
2025-11-09 17:14 ` [RFC PATCH 1/3] exec: make setup_new_exec() return int Oleg Nesterov
2025-11-09 17:15 ` [RFC PATCH 2/3] exec: don't wait for zombie threads with cred_guard_mutex held Oleg Nesterov
2025-11-10 10:58 ` Cyrill Gorcunov
2025-11-10 15:09 ` Oleg Nesterov
2025-11-10 21:49 ` Cyrill Gorcunov
2025-11-11 14:09 ` Oleg Nesterov
2025-11-09 17:16 ` [RFC PATCH 3/3] ptrace: ensure PTRACE_EVENT_EXIT won't stop if the tracee is killed by exec Oleg Nesterov
2025-11-10 5:28 ` [RFC PATCH 0/3] mt-exec: fix deadlock with ptrace_attach() Bernd Edlinger
2025-11-10 14:47 ` Oleg Nesterov
2025-11-18 18:13 ` [PATCH v18] exec: Fix dead-lock in de_thread with ptrace_attach Bernd Edlinger
2025-11-20 15:15 ` Eric W. Biederman
2025-11-20 17:29 ` Eric W. Biederman
2025-11-20 20:57 ` [RFC][PATCH] exec: Move cred computation under exec_update_lock Eric W. Biederman
2025-11-20 23:50 ` Eric W. Biederman
2025-11-21 2:59 ` Bernd Edlinger
2025-11-21 7:18 ` Eric W. Biederman
2025-11-21 9:35 ` Bernd Edlinger
2025-11-21 11:26 ` Bernd Edlinger
2025-11-21 19:19 ` Eric W. Biederman
2025-11-21 23:06 ` Ryan Lee
2025-11-23 18:52 ` Oleg Nesterov
2025-11-23 23:22 ` Eric W. Biederman
2025-11-25 16:19 ` Bernd Edlinger
2025-11-25 11:55 ` Roberto Sassu
2025-12-01 16:06 ` Are setuid shell scripts safe? (Implied by security_bprm_creds_for_exec) Eric W. Biederman
2025-12-01 16:49 ` Roberto Sassu
2025-12-01 18:53 ` Eric W. Biederman
2025-12-01 21:39 ` David Laight
2025-12-03 13:16 ` Bernd Edlinger
2025-12-04 5:49 ` Al Viro
2025-12-04 9:32 ` David Laight
2025-12-04 13:03 ` Bernd Edlinger [this message]
2025-12-04 15:43 ` Stephen Smalley
2025-11-22 17:10 ` [PATCH v18] exec: Fix dead-lock in de_thread with ptrace_attach Bernd Edlinger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=GV2PPF74270EBEE0AAAE2EB22B668EE21A7E4A6A@GV2PPF74270EBEE.EURP195.PROD.OUTLOOK.COM \
--to=bernd.edlinger@hotmail.de \
--cc=adobriyan@gmail.com \
--cc=adrian.ratiu@collabora.com \
--cc=akpm@linux-foundation.org \
--cc=apparmor@lists.ubuntu.com \
--cc=ardb@kernel.org \
--cc=areber@redhat.com \
--cc=ast@kernel.org \
--cc=axboe@kernel.dk \
--cc=brauner@kernel.org \
--cc=chao@kernel.org \
--cc=cyphar@cyphar.com \
--cc=david@redhat.com \
--cc=dchinner@redhat.com \
--cc=deller@gmx.de \
--cc=dwindsor@gmail.com \
--cc=ebiederm@xmission.com \
--cc=edumazet@google.com \
--cc=elena.reshetova@intel.com \
--cc=frederic@kernel.org \
--cc=gorcunov@gmail.com \
--cc=ishkamiel@gmail.com \
--cc=jack@suse.cz \
--cc=jamorris@linux.microsoft.com \
--cc=jlayton@kernel.org \
--cc=joel@joelfernandes.org \
--cc=kees@kernel.org \
--cc=laoar.shao@gmail.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux-security-module@vger.kernel.org \
--cc=lorenzo.stoakes@oracle.com \
--cc=luto@amacapital.net \
--cc=mcgrof@kernel.org \
--cc=mhocko@suse.com \
--cc=mingo@kernel.org \
--cc=mjguzik@gmail.com \
--cc=oleg@redhat.com \
--cc=paul@paul-moore.com \
--cc=pc@manguebit.com \
--cc=peterz@infradead.org \
--cc=rdunlap@infradead.org \
--cc=roberto.sassu@huaweicloud.com \
--cc=ryan.lee@canonical.com \
--cc=senozhatsky@chromium.org \
--cc=serge@hallyn.com \
--cc=shr@devkernel.io \
--cc=shuah@kernel.org \
--cc=superman.xpt@gmail.com \
--cc=surenb@google.com \
--cc=tglx@linutronix.de \
--cc=tiozhang@didiglobal.com \
--cc=viro@zeniv.linux.org.uk \
--cc=wad@chromium.org \
--cc=willy@infradead.org \
--cc=xu.xin16@zte.com.cn \
--cc=yuehaibing@huawei.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox