2

Let's say the following program is executed from a setuid-root binary, by a non-root user:

int main()
{
    if (fork()) {
        /* Parent process */
        int wstatus; wait(&wstatus);
        if (WEXITSTATUS(wstatus) == 0) {
            /* Child process exited with return code indicating success */
            do_something_potentially_dangerous();
            return 0;
        } else {
            /* Child process exited with return code indicating failure */
            puts("Access denied");
            return 1;
        }
    } else {
        /* Child process */
        setuid(getuid());
        /*
        ...
        */
        return do_critical_security_check();  /* let's say this returns 0 if it's safe */
    }
}

A setuid program normally runs with extra security measures that prevent the user who started it from tampering with its (privileged) execution. I can only assume this status is preserved when it forks a child process.

But when the child process drops root privileges, does it also drop any of this protection? Barring a vulnerability in the child process's code, would the unprivileged user be able to interfere with do_critical_security_check(), or otherwise force the child process to return 0 when it shouldn't? (Assume kernel.yama.ptrace_scope is set to 0.)

flarn2006
  • 1,787
  • 15
  • 37

1 Answers1

1

The ptrace man page specifies that it will (my emphasis):

  1. Deny access if neither of the following is true:

    • The real, effective, and saved-set user IDs of the target match the caller's user ID, and the real, effective, and saved-set group IDs of the target match the caller's group ID.

    • The caller has the CAP_SYS_PTRACE capability in the user namespace of the target.

So if there's a saved UID that's not available to the tracer, then the tracing process can't attach and hijack the child to access it.

If the child drops its EUID irrevocably (using setresuid()), then the tracing process can attach, but there's no saved UID to abuse.

Toby Speight
  • 27,591
  • 48
  • 66
  • 103
  • What about through mechanisms other than `ptrace`? `/proc/___/mem` for example. Also, even if there's no saved UID to abuse, remember, the parent process is relying on the child process's exit code for a security-critical decision. – flarn2006 Jan 10 '20 at 16:24
  • 1
    This also means that a process dropping its EUID irrevocably should make sure any sensitive information is cleared from its memory before doing so, I assume? – flarn2006 Jan 10 '20 at 16:27