aboutsummaryrefslogtreecommitdiffstats
path: root/fs/proc
diff options
context:
space:
mode:
authorEric Paris <eparis@redhat.com>2012-01-03 14:23:08 -0500
committerAl Viro <viro@zeniv.linux.org.uk>2012-01-17 16:17:00 -0500
commit633b45454503489209b0d9a45f9e3cd1b852c614 (patch)
tree591363d3be6b773f872b979727d4ac1a9691ec82 /fs/proc
parent0a300be6d5be8f66cd96609334710c268d0bfdce (diff)
audit: only allow tasks to set their loginuid if it is -1
At the moment we allow tasks to set their loginuid if they have CAP_AUDIT_CONTROL. In reality we want tasks to set the loginuid when they log in and it be impossible to ever reset. We had to make it mutable even after it was once set (with the CAP) because on update and admin might have to restart sshd. Now sshd would get his loginuid and the next user which logged in using ssh would not be able to set his loginuid. Systemd has changed how userspace works and allowed us to make the kernel work the way it should. With systemd users (even admins) are not supposed to restart services directly. The system will restart the service for them. Thus since systemd is going to loginuid==-1, sshd would get -1, and sshd would be allowed to set a new loginuid without special permissions. If an admin in this system were to manually start an sshd he is inserting himself into the system chain of trust and thus, logically, it's his loginuid that should be used! Since we have old systems I make this a Kconfig option. Signed-off-by: Eric Paris <eparis@redhat.com>
Diffstat (limited to 'fs/proc')
-rw-r--r--fs/proc/base.c3
1 files changed, 0 insertions, 3 deletions
diff --git a/fs/proc/base.c b/fs/proc/base.c
index e3cbebbabebd..482df23036b5 100644
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -1197,9 +1197,6 @@ static ssize_t proc_loginuid_write(struct file * file, const char __user * buf,
1197 ssize_t length; 1197 ssize_t length;
1198 uid_t loginuid; 1198 uid_t loginuid;
1199 1199
1200 if (!capable(CAP_AUDIT_CONTROL))
1201 return -EPERM;
1202
1203 rcu_read_lock(); 1200 rcu_read_lock();
1204 if (current != pid_task(proc_pid(inode), PIDTYPE_PID)) { 1201 if (current != pid_task(proc_pid(inode), PIDTYPE_PID)) {
1205 rcu_read_unlock(); 1202 rcu_read_unlock();