fscrypt.git/security/privileges.go, branch v0.2.4 Go tool for managing Linux filesystem encryption Ensure keyring privilege changes are reversible 2018-08-23T18:00:34+00:00 Joe Richey joerichey@google.com joerichey@google.com 2018-08-22T12:23:00+00:00 315f9b042237200174a1fb99427f74027e191d66 This change makes sure that, when we set the ruid and euid in order to get the user keyring linked into the current process keyring, we will always be able to reverse these changes (using a suid of 0). This fixes an issue where "su <user>" would result in a system error when called by an unprivileged user. It also explains exactly how and why we are making these privilege changes. 
This change makes sure that, when we set the ruid and euid in order to
get the user keyring linked into the current process keyring, we will
always be able to reverse these changes (using a suid of 0).

This fixes an issue where "su <user>" would result in a system error
when called by an unprivileged user. It also explains exactly how and
why we are making these privilege changes.
Ensure setting user privileges is reversible 2018-08-23T18:00:34+00:00 Joe Richey joerichey@google.com joerichey@google.com 2018-08-22T12:17:32+00:00 3022c1603d968c22f147b4a2c49c4637dd1be91b This change makes sure after dropping then elevating privileges for a process, the euid, guid, and groups are all the same as they were originally. This significantly simplifies the privilege logic. This fixes CVE-2018-6558, which allowed an unprivleged user to gain membership in the root group (gid 0) due to the groups not being properly reset in the process. 
This change makes sure after dropping then elevating privileges for a
process, the euid, guid, and groups are all the same as they were
originally. This significantly simplifies the privilege logic.

This fixes CVE-2018-6558, which allowed an unprivleged user to gain
membership in the root group (gid 0) due to the groups not being
properly reset in the process.
security: drop and regain privileges in all threads 2018-03-25T17:22:39+00:00 Eric Biggers ebiggers@google.com 2018-03-25T17:13:26+00:00 aa88bf4527cced6e3e16ca3e5ae07076cc8217f0 After enabling pam_fscrypt for "session" and creating a directory protected with a login protector, I was no longer able to log in as that user. The problem is that the Go runtime is creating threads after pam_fscrypt drops privileges, but pam_fscrypt is not re-acquiring privileges on those threads because the Go wrappers for setreuid(), setregid(), and setgroups() in the "sys/unix" package are using the raw syscalls which operate on the calling thread only. This violates glibc's assumption that all threads have the same uids and gids, causing it to abort() the process when a later module in the PAM stack (pam_mail in my case) tries to drop privileges using the glibc functions. Fix it by dropping and regaining privileges using the glibc functions rather than the "sys/unix" functions. This also avoids any possibility that privileges could be changed in a thread other than the "main" one for pam_fscrypt, since the Go runtime does not guarantee which OS-level thread runs what. It would be nice to also exit all Go worker threads before returning from pam_fscrypt, but the Go runtime doesn't seem to support that. 
After enabling pam_fscrypt for "session" and creating a directory
protected with a login protector, I was no longer able to log in as that
user.  The problem is that the Go runtime is creating threads after
pam_fscrypt drops privileges, but pam_fscrypt is not re-acquiring
privileges on those threads because the Go wrappers for setreuid(),
setregid(), and setgroups() in the "sys/unix" package are using the raw
syscalls which operate on the calling thread only.

This violates glibc's assumption that all threads have the same uids and
gids, causing it to abort() the process when a later module in the PAM
stack (pam_mail in my case) tries to drop privileges using the glibc
functions.

Fix it by dropping and regaining privileges using the glibc functions
rather than the "sys/unix" functions.

This also avoids any possibility that privileges could be changed in a
thread other than the "main" one for pam_fscrypt, since the Go runtime
does not guarantee which OS-level thread runs what.

It would be nice to also exit all Go worker threads before returning
from pam_fscrypt, but the Go runtime doesn't seem to support that.
security: No more permenant privilege dropping 2017-09-01T07:50:42+00:00 Joseph Richey joerichey94@gmail.com 2017-09-01T07:50:42+00:00 d5f64c1ecd8f13f01681d0a18b8f3174ff9bd225 This was creating an issue becasuse fully dropping privileges required spawning a goroutine and using rutime.DropOSThread(). 
This was creating an issue becasuse fully dropping privileges required
spawning a goroutine and using rutime.DropOSThread().
security: Rewrite of keryings and permissions 2017-08-31T00:51:05+00:00 Joe Richey joerichey@google.com 2017-08-31T00:51:05+00:00 7888645ab68ed0510ff66121f35630b11976a09f The keyring lookup functions no longer read from /proc/keys. Now they simply spawn a thread, drop privs, and check with GetKeyringID and KEY_SPEC_USER_KEYRING. See userKeyringID() for more info. The privileges functions have also been changed. Now the concept of setting privileges is seperate form the concept of setting up the keyrings. 
The keyring lookup functions no longer read from /proc/keys. Now they
simply spawn a thread, drop privs, and check with GetKeyringID and
KEY_SPEC_USER_KEYRING. See userKeyringID() for more info.

The privileges functions have also been changed. Now the concept of
setting privileges is seperate form the concept of setting up the
keyrings.
security: Moved cache dropping function 2017-08-22T19:53:26+00:00 Joe Richey joerichey@google.com joerichey@google.com 2017-08-22T19:52:41+00:00 32c9be59a2485ef44ac4b3accc2f102cf2eb5a39 






security: Fixed typo and improved error handling
2017-08-22T18:32:03+00:00

Joe Richey joerichey@google.com
joerichey@google.com

2017-08-22T18:32:03+00:00

50256fab010adfde1b349160460659fb03d8c8ac












cmd/fscrypt: purge command now clears cache
2017-08-18T05:49:44+00:00

Joe Richey joerichey@google.com
joerichey@google.com

2017-08-16T01:11:29+00:00

151e8965fa3a9c8f65e316430f9df0fa763fb02d