Re: Linux peer_cred Mischmasch

[Andy Lutomirski <luto () amacapital net>]

On 07/22/2014 04:17 AM, Florian Weimer wrote:
> On 07/22/2014 12:15 PM, Sebastian Krahmer wrote:
> > While maybe_add_creds() (via SOCK_PASSCRED) and scm_send()
> > (via unix_{stream,dgram}_sendmsg()) use the real UID,
> >
> > cred_to_ucred() (via SO_PEERCRED) passes the EUID (this time
> > also kuid_munged()).
>
> There should also be a discrepancy regarding when the credentials are
> captured (time of send for SOCK_PASSCRED, time of socket creation for
> SO_PEERCRED).  The latter is required because privileged processes
> assume that they can safely write to stderr, so picking the current
> process credentials may well introduce vulnerabilities.

Indeed.  IMO both of these interfaces are flawed, but PASSCRED is
terminally broken and should never be used.  See, for example,
CVE-2013-1979, which is the immediate cause of the ruid thing.

I'm making very very slow progress toward SCM_IDENTITY, a non-broken
replacement for both of these.

--Andy