mirror of git://git.musl-libc.org/musl
remove rlimit hacks from multi-threaded set*id() code
the code being removed was introduced to work around "partial failure" of multi-threaded set*id() operations, where some threads would succeed in changing their ids but an RLIMIT_NPROC setting would prevent the rest from succeeding, leaving the process in an inconsistent and dangerous state. however, the workaround code did not handle important usage cases like swapping real and effective uids then restoring their original values, and the wrongful kernel enforcement of RLIMIT_NPROC at setuid time was removed in Linux 3.1, making the workaround obsolete. since the partial failure still is dangerous on old kernels, and could in principle happen on post-fix kernels as well if set*id() syscalls fail for another spurious reason such as resource-related failures, new code is added to detect and forcibly kill the process if/when such a situation arises. future documentation releases should be updated to reflect that setting RLIMIT_NPROC to RLIM_INFINITY is necessary to avoid this forced-kill on old kernels. ideally, at some point the kernel will get proper multi-threaded set*id() syscalls capable of performing their actions atomically, and all of the userspace code to emulate them can be treated as a fallback for outdated kernels.
This commit is contained in:
Rich Felker
parent
9772eadba8
commit
84b5c5479e
|
|
@ -1,43 +1,35 @@
|
||||||
#include <unistd.h>
|
#include <unistd.h>
|
||||||
#include <errno.h>
|
#include <errno.h>
|
||||||
#include <sys/resource.h>
|
|
||||||
#include "syscall.h"
|
#include "syscall.h"
|
||||||
#include "libc.h"
|
#include "libc.h"
|
||||||
|
#include "pthread_impl.h"
|
||||||
|
|
||||||
struct ctx {
|
struct ctx {
|
||||||
int id, eid, sid;
|
int id, eid, sid;
|
||||||
int nr, rlim, err;
|
int nr, err;
|
||||||
};
|
};
|
||||||
|
|
||||||
/* We jump through hoops to eliminate the possibility of partial failures. */
|
|
||||||
|
|
||||||
int __setrlimit(int, const struct rlimit *);
|
|
||||||
|
|
||||||
static void do_setxid(void *p)
|
static void do_setxid(void *p)
|
||||||
{
|
{
|
||||||
struct ctx *c = p;
|
struct ctx *c = p;
|
||||||
if (c->err) return;
|
if (c->err>0) return;
|
||||||
if (c->rlim && c->id >= 0 && c->id != getuid()) {
|
int ret = -__syscall(c->nr, c->id, c->eid, c->sid);
|
||||||
struct rlimit inf = { RLIM_INFINITY, RLIM_INFINITY }, old;
|
if (ret && !c->err) {
|
||||||
getrlimit(RLIMIT_NPROC, &old);
|
/* If one thread fails to set ids after another has already
|
||||||
if ((c->err = -__setrlimit(RLIMIT_NPROC, &inf)) && libc.threads_minus_1)
|
* succeeded, forcibly killing the process is the only safe
|
||||||
return;
|
* thing to do. State is inconsistent and dangerous. Use
|
||||||
c->err = -__syscall(c->nr, c->id, c->eid, c->sid);
|
* SIGKILL because it is uncatchable. */
|
||||||
__setrlimit(RLIMIT_NPROC, &old);
|
__block_all_sigs(0);
|
||||||
return;
|
__syscall(SYS_kill, __syscall(SYS_getpid), SIGKILL);
|
||||||
}
|
}
|
||||||
c->err = -__syscall(c->nr, c->id, c->eid, c->sid);
|
c->err = ret;
|
||||||
}
|
}
|
||||||
|
|
||||||
int __setxid(int nr, int id, int eid, int sid)
|
int __setxid(int nr, int id, int eid, int sid)
|
||||||
{
|
{
|
||||||
struct ctx c = { .nr = nr, .id = id, .eid = eid, .sid = sid };
|
/* err is initially nonzero so that failure of the first thread does not
|
||||||
switch (nr) {
|
* trigger the safety kill above. */
|
||||||
case SYS_setuid:
|
struct ctx c = { .nr = nr, .id = id, .eid = eid, .sid = sid, .err = -1 };
|
||||||
case SYS_setreuid:
|
|
||||||
case SYS_setresuid:
|
|
||||||
c.rlim = 1;
|
|
||||||
}
|
|
||||||
__synccall(do_setxid, &c);
|
__synccall(do_setxid, &c);
|
||||||
if (c.err) {
|
if (c.err) {
|
||||||
errno = c.err;
|
errno = c.err;
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue