Let's say the following program is executed from a setuid-root binary, by a non-root user:
int main()
{
if (fork()) {
/* Parent process */
int wstatus; wait(&wstatus);
if (WEXITSTATUS(wstatus) == 0) {
/* Child process exited with return code indicating success */
do_something_potentially_dangerous();
return 0;
} else {
/* Child process exited with return code indicating failure */
puts("Access denied");
return 1;
}
} else {
/* Child process */
setuid(getuid());
/*
...
*/
return do_critical_security_check(); /* let's say this returns 0 if it's safe */
}
}
A setuid program normally runs with extra security measures that prevent the user who started it from tampering with its (privileged) execution. I can only assume this status is preserved when it forks a child process.
But when the child process drops root privileges, does it also drop any of this protection? Barring a vulnerability in the child process's code, would the unprivileged user be able to interfere with do_critical_security_check()
, or otherwise force the child process to return 0 when it shouldn't? (Assume kernel.yama.ptrace_scope
is set to 0.)
The ptrace
man page specifies that it will (my emphasis):
Deny access if neither of the following is true:
The real, effective, and saved-set user IDs of the target match the caller's user ID, and the real, effective, and saved-set group IDs of the target match the caller's group ID.
The caller has the
CAP_SYS_PTRACE
capability in the user namespace of the target.
So if there's a saved UID that's not available to the tracer, then the tracing process can't attach and hijack the child to access it.
If the child drops its EUID irrevocably (using setresuid()
), then the tracing process can attach, but there's no saved UID to abuse.