[pseudo,6/6] client: permissions drop setuid and setgid

Message ID	1780519148-30836-7-git-send-email-mark.hatle@kernel.crashing.org
State	New
Headers	show Return-Path: <mark.hatle@kernel.crashing.org> ip: 63.228.1.57, mailfrom: mark.hatle@kernel.crashing.org) From: Mark Hatle <mark.hatle@kernel.crashing.org> To: yocto-patches@lists.yoctoproject.org Cc: seebs@seebs.net, richard.purdie@linuxfoundation.org Subject: [pseudo][PATCH 6/6] client: permissions drop setuid and setgid Date: Wed, 3 Jun 2026 15:39:08 -0500 Message-Id: <1780519148-30836-7-git-send-email-mark.hatle@kernel.crashing.org> In-Reply-To: <1780519148-30836-1-git-send-email-mark.hatle@kernel.crashing.org> References: <1780519148-30836-1-git-send-email-mark.hatle@kernel.crashing.org>
Series	Permission/setuid/setgid handling \| expand [pseudo,0/6] Permission/setuid/setgid handling [pseudo,1/6] Makefile.in: Add pseudo_client.h as a dependency [pseudo,2/6] pseudo_client.h: Make it clear both macros must be updated together [pseudo,3/6] tests: Add test that returned stat is correct [pseudo,4/6] pseudo_client.h: Add +s to PSEUDO_DB_MODE for mkdir [pseudo,5/6] tests: Add setuid permission check [pseudo,6/6] client: permissions drop setuid and setgid

Message ID

1780519148-30836-7-git-send-email-mark.hatle@kernel.crashing.org

State

New

Headers

From: Mark Hatle <mark.hatle@kernel.crashing.org>
To: yocto-patches@lists.yoctoproject.org
Cc: seebs@seebs.net, richard.purdie@linuxfoundation.org
Subject: [pseudo][PATCH 6/6] client: permissions drop setuid and setgid
Date: Wed,  3 Jun 2026 15:39:08 -0500
Message-Id: <1780519148-30836-7-git-send-email-mark.hatle@kernel.crashing.org>
In-Reply-To: 
 <1780519148-30836-1-git-send-email-mark.hatle@kernel.crashing.org>
References: <1780519148-30836-1-git-send-email-mark.hatle@kernel.crashing.org>

Series

Permission/setuid/setgid handling | expand

Commit Message

Mark Hatle June 3, 2026, 8:39 p.m. UTC

From: Victor Kamensky <victor.kamensky7@gmail.com>

Otherwise, in some situation, where code running under pseudo set
setuid and setgit permission bits, they bleed into underlying files,
and may result with executables that have setuid and setgid bit(s) on
on real files that are owned by user who run pseudo.

Signed-off-by: Victor Kamensky <victor.kamensky7@gmail.com>

Added comment to indicate why we also filter setuid/setgid.

Signed-off-by: Mark Hatle <mark.hatle@amd.com>
Signed-off-by: Mark Hatle <mark.hatle@kernel.crashing.org>
---
 pseudo_client.h | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/pseudo_client.h b/pseudo_client.h
index 9d98ea1..83dbe08 100644
--- a/pseudo_client.h
+++ b/pseudo_client.h
@@ -88,12 +88,15 @@  extern int read_pidfile(FILE *, int *);
  * the user read/write/execute bits.  When storing to the database, though,
  * we mask out any such bits which weren't in the original mode.
  *
+ * Additional setuid/setgid modes are also filteed as they are unsafe as
+ * a real executable may allow someone to setuid/gid as the running user.
+ *
  * Note: PSEUDO_DB_MODE must be kept in sync with PSEUDO_FS_MODE, as the
  * former defined which filesystem mode bits must be loaded from the DB.
  *
  * Note: S_ISUID and S_ISGID may be stripped during a mkdir as a user,
  * account for this in PSEUDO_DB_MODE.
  */
-#define PSEUDO_FS_MODE(mode, isdir) (((mode) | S_IRUSR | S_IWUSR | ((isdir) ? S_IXUSR : 0)) & ~(S_IWGRP | S_IWOTH))
+#define PSEUDO_FS_MODE(mode, isdir) (((mode) | S_IRUSR | S_IWUSR | ((isdir) ? S_IXUSR : 0)) & ~(S_IWGRP | S_IWOTH | S_ISUID | S_ISGID))
 #define PSEUDO_DB_MODE(fs_mode, user_mode) (((fs_mode) & ~(S_IRUSR | S_IWUSR | S_IXUSR | S_IWGRP | S_IWOTH | S_ISUID | S_ISGID)) | ((user_mode) & (S_IRUSR | S_IWUSR | S_IXUSR | S_IWGRP | S_IWOTH | S_ISUID | S_ISGID)))

[pseudo,6/6] client: permissions drop setuid and setgid

Commit Message

Patch