On Mon, Jun 04, 2007 at 10:45:42AM -0700, Zach Brown wrote: > > Second, security. What happens if a well-written server starts life > > as root, does some (async) I/O, and setuids to a non-root uid? There > > will be a bunch of async threads still running as root, with the > > result that async operations (and the main thread) will more than > > occassionally regain root privs.
> One can imagine all sorts of crazy schemes which let us only shoot down > waiting async threads which were cloned before state in the submitting > task_struct was changed. Maybe we could swallow increasing a counter in > task_struct each time we change one of these sensitive fields (fsuid, > etc), but I bet the maintenance burden of anything more fine grained > than that would get pretty excessive. How about splitting the credentials out of the task_struct and making them sharable ala ->mm et al? You change uid there and it changes for everyone. It will make fork slightly more expensive though. > Yeah, and I'm blissfully ignorant of ptrace. Imagine me skipping > through a field of daisies with some ptrace wolves hiding in the bushes > at the edge of the meadow. La la la. Heh, I'm somewhat less ignorant of ptrace, so I'll see if I can help out there. > Each execution context having its own task struct is intentional, very > much so. Remember, this started with the fibrils patch series which > indeed shared a single task struct amongst a set of running stacks and > thread infos, etc. This approach is invasive because it changes the > sleeping entity in the scheduler from a task struct to some new > construct which has a many to one mapping to the task struct. It > touches vast amounts of code. This approach is also risky because it > introduces concurrent access to the task struct. That's a pretty big > auditing burden. Yeah, I realize that, but have no idea how much code that requires looking at. > Have you looked at how the fibrils stuff did it? It's a lot more work > than it seems like it should be, on first glance. You start to modify > things and every few days you trip across another fundamental kernel > construct which needs to be modified :/. > > http://lwn.net/Articles/219954/ Ah, I somehow missed this. Since you seem to have explored that area of the solution space already and found it wanting, I agree that it makes sense to see if syslets can be made to work. Jeff -- Work email - jdike at linux dot intel dot com - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
