From patchwork Wed Jun 3 20:39:08 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mark Hatle X-Patchwork-Id: 89278 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3855DCD6E55 for ; Wed, 3 Jun 2026 20:39:21 +0000 (UTC) Received: from gate.crashing.org (gate.crashing.org [63.228.1.57]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.29656.1780519152937675784 for ; Wed, 03 Jun 2026 13:39:13 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=pass (domain: kernel.crashing.org, ip: 63.228.1.57, mailfrom: mark.hatle@kernel.crashing.org) Received: from kernel.crashing.org.net (70-99-78-136.nuveramail.net [70.99.78.136] (may be forged)) by gate.crashing.org (8.18.1/8.18.1/Debian-2) with ESMTP id 653Kd9V42263173; Wed, 3 Jun 2026 15:39:11 -0500 From: Mark Hatle To: yocto-patches@lists.yoctoproject.org Cc: seebs@seebs.net, richard.purdie@linuxfoundation.org Subject: [pseudo][PATCH 6/6] client: permissions drop setuid and setgid Date: Wed, 3 Jun 2026 15:39:08 -0500 Message-Id: <1780519148-30836-7-git-send-email-mark.hatle@kernel.crashing.org> X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <1780519148-30836-1-git-send-email-mark.hatle@kernel.crashing.org> References: <1780519148-30836-1-git-send-email-mark.hatle@kernel.crashing.org> List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 03 Jun 2026 20:39:21 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto-patches/message/4129 From: Victor Kamensky Otherwise, in some situation, where code running under pseudo set setuid and setgit permission bits, they bleed into underlying files, and may result with executables that have setuid and setgid bit(s) on on real files that are owned by user who run pseudo. Signed-off-by: Victor Kamensky Added comment to indicate why we also filter setuid/setgid. Signed-off-by: Mark Hatle Signed-off-by: Mark Hatle --- pseudo_client.h | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/pseudo_client.h b/pseudo_client.h index 9d98ea1..83dbe08 100644 --- a/pseudo_client.h +++ b/pseudo_client.h @@ -88,12 +88,15 @@ extern int read_pidfile(FILE *, int *); * the user read/write/execute bits. When storing to the database, though, * we mask out any such bits which weren't in the original mode. * + * Additional setuid/setgid modes are also filteed as they are unsafe as + * a real executable may allow someone to setuid/gid as the running user. + * * Note: PSEUDO_DB_MODE must be kept in sync with PSEUDO_FS_MODE, as the * former defined which filesystem mode bits must be loaded from the DB. * * Note: S_ISUID and S_ISGID may be stripped during a mkdir as a user, * account for this in PSEUDO_DB_MODE. */ -#define PSEUDO_FS_MODE(mode, isdir) (((mode) | S_IRUSR | S_IWUSR | ((isdir) ? S_IXUSR : 0)) & ~(S_IWGRP | S_IWOTH)) +#define PSEUDO_FS_MODE(mode, isdir) (((mode) | S_IRUSR | S_IWUSR | ((isdir) ? S_IXUSR : 0)) & ~(S_IWGRP | S_IWOTH | S_ISUID | S_ISGID)) #define PSEUDO_DB_MODE(fs_mode, user_mode) (((fs_mode) & ~(S_IRUSR | S_IWUSR | S_IXUSR | S_IWGRP | S_IWOTH | S_ISUID | S_ISGID)) | ((user_mode) & (S_IRUSR | S_IWUSR | S_IXUSR | S_IWGRP | S_IWOTH | S_ISUID | S_ISGID)))