Loading...
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 | ==================== Credentials in Linux ==================== By: David Howells <dhowells@redhat.com> .. contents:: :local: Overview ======== There are several parts to the security check performed by Linux when one object acts upon another: 1. Objects. Objects are things in the system that may be acted upon directly by userspace programs. Linux has a variety of actionable objects, including: - Tasks - Files/inodes - Sockets - Message queues - Shared memory segments - Semaphores - Keys As a part of the description of all these objects there is a set of credentials. What's in the set depends on the type of object. 2. Object ownership. Amongst the credentials of most objects, there will be a subset that indicates the ownership of that object. This is used for resource accounting and limitation (disk quotas and task rlimits for example). In a standard UNIX filesystem, for instance, this will be defined by the UID marked on the inode. 3. The objective context. Also amongst the credentials of those objects, there will be a subset that indicates the 'objective context' of that object. This may or may not be the same set as in (2) - in standard UNIX files, for instance, this is the defined by the UID and the GID marked on the inode. The objective context is used as part of the security calculation that is carried out when an object is acted upon. 4. Subjects. A subject is an object that is acting upon another object. Most of the objects in the system are inactive: they don't act on other objects within the system. Processes/tasks are the obvious exception: they do stuff; they access and manipulate things. Objects other than tasks may under some circumstances also be subjects. For instance an open file may send SIGIO to a task using the UID and EUID given to it by a task that called ``fcntl(F_SETOWN)`` upon it. In this case, the file struct will have a subjective context too. 5. The subjective context. A subject has an additional interpretation of its credentials. A subset of its credentials forms the 'subjective context'. The subjective context is used as part of the security calculation that is carried out when a subject acts. A Linux task, for example, has the FSUID, FSGID and the supplementary group list for when it is acting upon a file - which are quite separate from the real UID and GID that normally form the objective context of the task. 6. Actions. Linux has a number of actions available that a subject may perform upon an object. The set of actions available depends on the nature of the subject and the object. Actions include reading, writing, creating and deleting files; forking or signalling and tracing tasks. 7. Rules, access control lists and security calculations. When a subject acts upon an object, a security calculation is made. This involves taking the subjective context, the objective context and the action, and searching one or more sets of rules to see whether the subject is granted or denied permission to act in the desired manner on the object, given those contexts. There are two main sources of rules: a. Discretionary access control (DAC): Sometimes the object will include sets of rules as part of its description. This is an 'Access Control List' or 'ACL'. A Linux file may supply more than one ACL. A traditional UNIX file, for example, includes a permissions mask that is an abbreviated ACL with three fixed classes of subject ('user', 'group' and 'other'), each of which may be granted certain privileges ('read', 'write' and 'execute' - whatever those map to for the object in question). UNIX file permissions do not allow the arbitrary specification of subjects, however, and so are of limited use. A Linux file might also sport a POSIX ACL. This is a list of rules that grants various permissions to arbitrary subjects. b. Mandatory access control (MAC): The system as a whole may have one or more sets of rules that get applied to all subjects and objects, regardless of their source. SELinux and Smack are examples of this. In the case of SELinux and Smack, each object is given a label as part of its credentials. When an action is requested, they take the subject label, the object label and the action and look for a rule that says that this action is either granted or denied. Types of Credentials ==================== The Linux kernel supports the following types of credentials: 1. Traditional UNIX credentials. - Real User ID - Real Group ID The UID and GID are carried by most, if not all, Linux objects, even if in some cases it has to be invented (FAT or CIFS files for example, which are derived from Windows). These (mostly) define the objective context of that object, with tasks being slightly different in some cases. - Effective, Saved and FS User ID - Effective, Saved and FS Group ID - Supplementary groups These are additional credentials used by tasks only. Usually, an EUID/EGID/GROUPS will be used as the subjective context, and real UID/GID will be used as the objective. For tasks, it should be noted that this is not always true. 2. Capabilities. - Set of permitted capabilities - Set of inheritable capabilities - Set of effective capabilities - Capability bounding set These are only carried by tasks. They indicate superior capabilities granted piecemeal to a task that an ordinary task wouldn't otherwise have. These are manipulated implicitly by changes to the traditional UNIX credentials, but can also be manipulated directly by the ``capset()`` system call. The permitted capabilities are those caps that the process might grant itself to its effective or permitted sets through ``capset()``. This inheritable set might also be so constrained. The effective capabilities are the ones that a task is actually allowed to make use of itself. The inheritable capabilities are the ones that may get passed across ``execve()``. The bounding set limits the capabilities that may be inherited across ``execve()``, especially when a binary is executed that will execute as UID 0. 3. Secure management flags (securebits). These are only carried by tasks. These govern the way the above credentials are manipulated and inherited over certain operations such as execve(). They aren't used directly as objective or subjective credentials. 4. Keys and keyrings. These are only carried by tasks. They carry and cache security tokens that don't fit into the other standard UNIX credentials. They are for making such things as network filesystem keys available to the file accesses performed by processes, without the necessity of ordinary programs having to know about security details involved. Keyrings are a special type of key. They carry sets of other keys and can be searched for the desired key. Each process may subscribe to a number of keyrings: Per-thread keying Per-process keyring Per-session keyring When a process accesses a key, if not already present, it will normally be cached on one of these keyrings for future accesses to find. For more information on using keys, see ``Documentation/security/keys/*``. 5. LSM The Linux Security Module allows extra controls to be placed over the operations that a task may do. Currently Linux supports several LSM options. Some work by labelling the objects in a system and then applying sets of rules (policies) that say what operations a task with one label may do to an object with another label. 6. AF_KEY This is a socket-based approach to credential management for networking stacks [RFC 2367]. It isn't discussed by this document as it doesn't interact directly with task and file credentials; rather it keeps system level credentials. When a file is opened, part of the opening task's subjective context is recorded in the file struct created. This allows operations using that file struct to use those credentials instead of the subjective context of the task that issued the operation. An example of this would be a file opened on a network filesystem where the credentials of the opened file should be presented to the server, regardless of who is actually doing a read or a write upon it. File Markings ============= Files on disk or obtained over the network may have annotations that form the objective security context of that file. Depending on the type of filesystem, this may include one or more of the following: * UNIX UID, GID, mode; * Windows user ID; * Access control list; * LSM security label; * UNIX exec privilege escalation bits (SUID/SGID); * File capabilities exec privilege escalation bits. These are compared to the task's subjective security context, and certain operations allowed or disallowed as a result. In the case of execve(), the privilege escalation bits come into play, and may allow the resulting process extra privileges, based on the annotations on the executable file. Task Credentials ================ In Linux, all of a task's credentials are held in (uid, gid) or through (groups, keys, LSM security) a refcounted structure of type 'struct cred'. Each task points to its credentials by a pointer called 'cred' in its task_struct. Once a set of credentials has been prepared and committed, it may not be changed, barring the following exceptions: 1. its reference count may be changed; 2. the reference count on the group_info struct it points to may be changed; 3. the reference count on the security data it points to may be changed; 4. the reference count on any keyrings it points to may be changed; 5. any keyrings it points to may be revoked, expired or have their security attributes changed; and 6. the contents of any keyrings to which it points may be changed (the whole point of keyrings being a shared set of credentials, modifiable by anyone with appropriate access). To alter anything in the cred struct, the copy-and-replace principle must be adhered to. First take a copy, then alter the copy and then use RCU to change the task pointer to make it point to the new copy. There are wrappers to aid with this (see below). A task may only alter its _own_ credentials; it is no longer permitted for a task to alter another's credentials. This means the ``capset()`` system call is no longer permitted to take any PID other than the one of the current process. Also ``keyctl_instantiate()`` and ``keyctl_negate()`` functions no longer permit attachment to process-specific keyrings in the requesting process as the instantiating process may need to create them. Immutable Credentials --------------------- Once a set of credentials has been made public (by calling ``commit_creds()`` for example), it must be considered immutable, barring two exceptions: 1. The reference count may be altered. 2. While the keyring subscriptions of a set of credentials may not be changed, the keyrings subscribed to may have their contents altered. To catch accidental credential alteration at compile time, struct task_struct has _const_ pointers to its credential sets, as does struct file. Furthermore, certain functions such as ``get_cred()`` and ``put_cred()`` operate on const pointers, thus rendering casts unnecessary, but require to temporarily ditch the const qualification to be able to alter the reference count. Accessing Task Credentials -------------------------- A task being able to alter only its own credentials permits the current process to read or replace its own credentials without the need for any form of locking -- which simplifies things greatly. It can just call:: const struct cred *current_cred() to get a pointer to its credentials structure, and it doesn't have to release it afterwards. There are convenience wrappers for retrieving specific aspects of a task's credentials (the value is simply returned in each case):: uid_t current_uid(void) Current's real UID gid_t current_gid(void) Current's real GID uid_t current_euid(void) Current's effective UID gid_t current_egid(void) Current's effective GID uid_t current_fsuid(void) Current's file access UID gid_t current_fsgid(void) Current's file access GID kernel_cap_t current_cap(void) Current's effective capabilities struct user_struct *current_user(void) Current's user account There are also convenience wrappers for retrieving specific associated pairs of a task's credentials:: void current_uid_gid(uid_t *, gid_t *); void current_euid_egid(uid_t *, gid_t *); void current_fsuid_fsgid(uid_t *, gid_t *); which return these pairs of values through their arguments after retrieving them from the current task's credentials. In addition, there is a function for obtaining a reference on the current process's current set of credentials:: const struct cred *get_current_cred(void); and functions for getting references to one of the credentials that don't actually live in struct cred:: struct user_struct *get_current_user(void); struct group_info *get_current_groups(void); which get references to the current process's user accounting structure and supplementary groups list respectively. Once a reference has been obtained, it must be released with ``put_cred()``, ``free_uid()`` or ``put_group_info()`` as appropriate. Accessing Another Task's Credentials ------------------------------------ While a task may access its own credentials without the need for locking, the same is not true of a task wanting to access another task's credentials. It must use the RCU read lock and ``rcu_dereference()``. The ``rcu_dereference()`` is wrapped by:: const struct cred *__task_cred(struct task_struct *task); This should be used inside the RCU read lock, as in the following example:: void foo(struct task_struct *t, struct foo_data *f) { const struct cred *tcred; ... rcu_read_lock(); tcred = __task_cred(t); f->uid = tcred->uid; f->gid = tcred->gid; f->groups = get_group_info(tcred->groups); rcu_read_unlock(); ... } Should it be necessary to hold another task's credentials for a long period of time, and possibly to sleep while doing so, then the caller should get a reference on them using:: const struct cred *get_task_cred(struct task_struct *task); This does all the RCU magic inside of it. The caller must call put_cred() on the credentials so obtained when they're finished with. .. note:: The result of ``__task_cred()`` should not be passed directly to ``get_cred()`` as this may race with ``commit_cred()``. There are a couple of convenience functions to access bits of another task's credentials, hiding the RCU magic from the caller:: uid_t task_uid(task) Task's real UID uid_t task_euid(task) Task's effective UID If the caller is holding the RCU read lock at the time anyway, then:: __task_cred(task)->uid __task_cred(task)->euid should be used instead. Similarly, if multiple aspects of a task's credentials need to be accessed, RCU read lock should be used, ``__task_cred()`` called, the result stored in a temporary pointer and then the credential aspects called from that before dropping the lock. This prevents the potentially expensive RCU magic from being invoked multiple times. Should some other single aspect of another task's credentials need to be accessed, then this can be used:: task_cred_xxx(task, member) where 'member' is a non-pointer member of the cred struct. For instance:: uid_t task_cred_xxx(task, suid); will retrieve 'struct cred::suid' from the task, doing the appropriate RCU magic. This may not be used for pointer members as what they point to may disappear the moment the RCU read lock is dropped. Altering Credentials -------------------- As previously mentioned, a task may only alter its own credentials, and may not alter those of another task. This means that it doesn't need to use any locking to alter its own credentials. To alter the current process's credentials, a function should first prepare a new set of credentials by calling:: struct cred *prepare_creds(void); this locks current->cred_replace_mutex and then allocates and constructs a duplicate of the current process's credentials, returning with the mutex still held if successful. It returns NULL if not successful (out of memory). The mutex prevents ``ptrace()`` from altering the ptrace state of a process while security checks on credentials construction and changing is taking place as the ptrace state may alter the outcome, particularly in the case of ``execve()``. The new credentials set should be altered appropriately, and any security checks and hooks done. Both the current and the proposed sets of credentials are available for this purpose as current_cred() will return the current set still at this point. When replacing the group list, the new list must be sorted before it is added to the credential, as a binary search is used to test for membership. In practice, this means groups_sort() should be called before set_groups() or set_current_groups(). groups_sort() must not be called on a ``struct group_list`` which is shared as it may permute elements as part of the sorting process even if the array is already sorted. When the credential set is ready, it should be committed to the current process by calling:: int commit_creds(struct cred *new); This will alter various aspects of the credentials and the process, giving the LSM a chance to do likewise, then it will use ``rcu_assign_pointer()`` to actually commit the new credentials to ``current->cred``, it will release ``current->cred_replace_mutex`` to allow ``ptrace()`` to take place, and it will notify the scheduler and others of the changes. This function is guaranteed to return 0, so that it can be tail-called at the end of such functions as ``sys_setresuid()``. Note that this function consumes the caller's reference to the new credentials. The caller should _not_ call ``put_cred()`` on the new credentials afterwards. Furthermore, once this function has been called on a new set of credentials, those credentials may _not_ be changed further. Should the security checks fail or some other error occur after ``prepare_creds()`` has been called, then the following function should be invoked:: void abort_creds(struct cred *new); This releases the lock on ``current->cred_replace_mutex`` that ``prepare_creds()`` got and then releases the new credentials. A typical credentials alteration function would look something like this:: int alter_suid(uid_t suid) { struct cred *new; int ret; new = prepare_creds(); if (!new) return -ENOMEM; new->suid = suid; ret = security_alter_suid(new); if (ret < 0) { abort_creds(new); return ret; } return commit_creds(new); } Managing Credentials -------------------- There are some functions to help manage credentials: - ``void put_cred(const struct cred *cred);`` This releases a reference to the given set of credentials. If the reference count reaches zero, the credentials will be scheduled for destruction by the RCU system. - ``const struct cred *get_cred(const struct cred *cred);`` This gets a reference on a live set of credentials, returning a pointer to that set of credentials. - ``struct cred *get_new_cred(struct cred *cred);`` This gets a reference on a set of credentials that is under construction and is thus still mutable, returning a pointer to that set of credentials. Open File Credentials ===================== When a new file is opened, a reference is obtained on the opening task's credentials and this is attached to the file struct as ``f_cred`` in place of ``f_uid`` and ``f_gid``. Code that used to access ``file->f_uid`` and ``file->f_gid`` should now access ``file->f_cred->fsuid`` and ``file->f_cred->fsgid``. It is safe to access ``f_cred`` without the use of RCU or locking because the pointer will not change over the lifetime of the file struct, and nor will the contents of the cred struct pointed to, barring the exceptions listed above (see the Task Credentials section). To avoid "confused deputy" privilege escalation attacks, access control checks during subsequent operations on an opened file should use these credentials instead of "current"'s credentials, as the file may have been passed to a more privileged process. Overriding the VFS's Use of Credentials ======================================= Under some circumstances it is desirable to override the credentials used by the VFS, and that can be done by calling into such as ``vfs_mkdir()`` with a different set of credentials. This is done in the following places: * ``sys_faccessat()``. * ``do_coredump()``. * nfs4recover.c. |