Even with https://bugzilla.kernel.org/show_bug.cgi?id=219168 fixed, I still can't get libpsx to work. It uses "-wrap pthread_create" but that misses dynamic libs, at least those loaded with dlopen() (not sure about the ones linked in directly). Many dlopened libs create threads, and libpsx misses them. glibc OTOH seems to traverse all of them. That still leads to a havoc and undropped perms.
I think you can iterate /proc/self/task to find out all tids. Yes, this means a full rewrite of libpsx, getting rid of libpthread APIs in there.
I've been looking at this. I'm close to releasing libcap-2.71, but may address this present feature request in libcap-2.72.
enhancement? I thought its critical. :) When not all threads drop caps, you put the system under the risk of a priv escalation. Which is why I had to drop libpsx. In fact, I'd like to drop libcap as well and stop dealing with caps. I only need CAP_SETGID to drop the supplementary group list. After that, I drop CAP_SETGID. This is really silly: one needs the cap only to drop some other right... :( I proposed this solution instead: https://www.spinics.net/lists/kernel/msg5383847.html But it only got 1 review request from Oleg Nesterov, and no more attention. Maybe you can help me on that front by reviewing my proposal? Then I promise to never bother you with libcap again. :) As I won't be using it. I don't really need it.
Silly or not dropping privileges is not always harmless: https://sites.google.com/site/fullycapable/thesendmailcapabilitiesissue This is a feature request because libpsx has never supported this use case. I'm inclined to agree it should, and have been exploring how to do it. I have three open bugs that this should resolve, so no worries if you have actually moved on!
Yes, quite an interesting reading. Why was it necessary to emulate uid0 with caps? Couldn't those capable() funcs check for "cap || uid0"? Anyway, we currently have the problem. If you use setuid-non-0 to _lower_ your privs, you still need CAP_SETGID to also drop supplementary groups. Unprivileged dropping the group list was considered by others, but yielded no results (references in my proposal) for exactly the reason you mentioned: it is not always harmless. This is why my proposal is slightly different. Will it help if I re-send it adding you to CC? The problem is real, its quite sad that there are so few people interested in fixing it. Obviously the libcap dev is the one naturally interested in such a problems. :)
I have to confess, I don't share any concerns about needing CAP_SETGID for operations like this. I did find the following links discussing subtleties in this area: https://stackoverflow.com/questions/48895619/how-do-i-drop-supplementary-groups-in-linux https://lwn.net/Articles/626665/
CAP_SETGID makes your program vulnerable. If it is hacked at some point before it drops CAP_SETGID, attacker basically has root. As libpsx is broken, you can't even reliably drop CAP_SETGID. So the fact that my program currently uses CAP_SETGID is disasterous. I wanted to make it more secure but got this. OTOH you have the relatively safe mechanism to lower the unprivileged process even more, if you suid/sgid it to some "nobody" user w/o any home dir. Then such process can't even access the data of an original user. Now to lower the privs of the already unprivileged process, I first need to gain CAP_SETGID! Its more than ridiculous: its a disaster from security POV. This is why people keep proposing the ways of dropping the group list: https://lwn.net/Articles/621612/ But my proposal is different. Instead of dropping the group list, I invented the group restriction bitmap. If the bit in such bitmap is set, then the corresponding group in the supplementary list gets restricted. That is, it no longer grant an access to anything, but can still deny the access if the group perms deny the access to that group. I think this avoids the pitfalls of the former proposals. And the patch is very small, you can look at it yourself. :) suid/sgid bits are purely classical. I believe they should work as expected. But the current handling of group list makes them useless. And you need to apply to namespaces or idmapped mounts or whatever linux guys come up with (all the non-portable stuff of course), when the simple posix techniques are completely broken.
You might like to read https://sites.google.com/site/fullycapable/inheriting-privilege for my thoughts on root equivalence. This bug request is tracking extending libpsx coverage.
Fixed with: https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=12e163ac21f11a8f8760305b9f60a6b7819aee7b There is a test in the .../tests directory: $ make $ cd tests $ make run_b219174 This will be included in the libcap-2.72/libpsx-2.72 release. Date uncertain right now.
Thanks. Would you like to add cap_initgroups() just for convenience? (similar to cap_setgroups())