The trouble with dropping groups

By Jonathan Corbet
November 19, 2014

Linux, like all but the earliest of Unix-like systems, allows a process to be a member of multiple groups at any given time. Any of those group memberships can be used to make access-control decisions. Changing the list of groups a process belongs to is a privileged operation for obvious reasons. Recently, though, a developer started to think about letting processes drop some groups from their lists. On its face, allowing a process to discard credentials seems like it should be a safe thing to do. In practice, it turns out that there are some surprises waiting for anybody wanting to give the idea a try.

Josh Triplett would like to make it easy for unprivileged users to run programs in a sandboxed mode. As part of that work, he put together a patch allowing an unprivileged process to drop its membership in one or more groups. The idea is that a user could fire off a sandboxed process with minimal credentials, including a reduced set of group memberships, without having to resort to privileged helper commands. That should reduce the level of privilege in the system overall and, hopefully, make things more secure.

But it seems that no Unix-like system anywhere has made it possible for unprivileged processes to drop group membership. The reason may be surprising, but it's there nonetheless: some systems use group membership as a way of reducing privilege; such schemes would no longer work if users could discard groups at will.

Casey Schaufler jumped in early with the assertion that Tizen is one of the systems using groups in this way. The specific mechanism he is worried about is access control lists (ACLs). An ACL can make either positive or negative access decisions, so one can write an ACL to deny access to a resource if the accessing process is a member of a given group. It makes sense in a way; user applications could be run with membership in a special "untrusted" group that would be denied access to most system resources. Casey was pretty clear in his opinion that this change should not be merged:

This is going to introduce a whole class of vulnerabilities. Don't even think of arguing that the reduction in use of privilege will make up for that. Developers have enough trouble with the difference between setuid() and seteuid() to expect them to use group dropping properly.

Ted Ts'o pointed out that there is no need to have ACLs to use groups as a negative access indicator. Imagine you had a directory called games that you wanted to make available to all users except those in the games-abusers group. All that is needed is a command sequence like:

    chown bin.games-abusers games
    chmod 705 games

This will have the (possibly surprising) effect of blocking access to the directory for anybody in the games-abusers group — the "no access" group permission bits override the more open permissions for the whole world. Once again, being able to drop group membership would defeat this kind of mechanism.

Finally, the sudo utility can also make decisions based on group membership or the lack thereof. Being able to drop group membership could thus enable a user to get privileges via sudo that would normally have been denied.

As it happens, on a Linux system one does not actually need Josh's patch to be able to drop group membership. As Andy Lutomirski noted, user namespaces already make that possible. In a user namespace, normal users can have root access and can thus call setgroups(). In theory, that access does not enable any expanded privilege outside of the namespace, but, as can be seen here, a few surprises still lurk in that code. Beyond setgroups(), though, user namespaces can be used to drop groups by simply neglecting to map them to groups outside of the namespace; see this article for details on how this mapping works. Andy sees the problem as being serious enough that he reported it to the oss-security mailing list as a vulnerability with no fix available.

A few of the participants in the discussion seemed to feel that the idea of using credentials to reduce privilege was a bit backward. But it appears to be something that people do, so breaking it is not an option. For the case of user namespaces, some sort of fix will have to be applied; it may become impossible to drop group memberships from within a user namespace. The sudo problem can be addressed by only allowing groups to be dropped if the "no new privileges" flag (originally introduced for system call filtering) is set, but Eric Biederman worries about the additional complexity that would bring in.

There was talk of adding a sysctl knob to control the unprivileged dropping of group membership. Such a flag would default to "off"; system administrators could turn it on if they were confident that it would not subvert the security models in use on their systems. But Casey is not confident that this option makes sense; just because a system does not use groups to restrict privilege now doesn't mean that somebody won't install a package using that approach tomorrow. Also, as he pointed out: "The developers of user namespaces didn't notice it might be a problem. You can't count on sysadmins or distro developers to do better."

So, in the end, unprivileged dropping of group membership may turn out to be one of those ideas that just can't quite be shoehorned into the decades-old Unix privilege model. There is a lot of history there and no end of systems that might see surprising results coming from a change like this. If this work does go forward, expect to hear some loud complaints before it makes it into the mainline.

(Those interested in this work may also want to have a look at Josh's other patch. It allows a process to have multiple user IDs in the same way that multiple group IDs are possible now. The idea is that the process could use those supplemental IDs to run sandboxed processes each with their own user ID.)

Index entries for this article
Kernel	Namespaces/User namespaces
Kernel	Negative groups
Security	Linux kernel

to post comments

The trouble with dropping groups

Posted Nov 20, 2014 1:38 UTC (Thu) by skissane (subscriber, #38675) [Link] (6 responses)

What about a flag on a group which says it is allowed to be dropped by an unprivileged process? By default, that flag would not be enabled for any group, but sysadmin could enable it on a group-by-group basis. That would likely be much safer than an across-the-board sysctl knob.

The trouble with dropping groups

Posted Nov 20, 2014 5:21 UTC (Thu) by ncm (guest, #165) [Link] (5 responses)

I had the same thought, immediately. There must be something wrong with it if everybody on the kernel list didn't also post it simultaneously, but I am evidently too ignorant to guess what the flaw is. Would anyone care to enlighten us?

The trouble with dropping groups

Posted Nov 20, 2014 6:50 UTC (Thu) by luto (subscriber, #39314) [Link] (4 responses)

Groups are just numbers -- they have no flags. I did suggest a sysctl to specify groups that are safe to drop, but that's tedious and ugly.

The trouble with dropping groups

Posted Nov 20, 2014 7:45 UTC (Thu) by neilbrown (subscriber, #359) [Link]

A sysctl which identified a range of groups that could be dropped wouldn't be too tedious.

Then it would only be logical to also identify a range of groups that could freely be added - if the goal is to lose privileges, and adding groups achieves that, then maybe it should be allowed.

Having observed that, it starts to feel very much like the wrong solution to the problem.

The trouble with dropping groups

Posted Nov 20, 2014 21:26 UTC (Thu) by skissane (subscriber, #38675) [Link] (2 responses)

How about modifying struct group_info to add a flags word for each supplementary group? One bit of the flags word would be used to indicate if the supplementary group is droppable by unprivileged callers, the others would be reserved for future use. Add new setgroups2() system call which allows privileged processes to set the flags words when the groups are set, and allow getgroups2() to allow unprivileged callers to retrieve both the groups and the associated flags.

The trouble with dropping groups

Posted Nov 20, 2014 21:37 UTC (Thu) by luto (subscriber, #39314) [Link] (1 responses)

The problem with that is that existing userspace won't understand it at all. Without something clever, one side effect is likely to be that it will completely disable unprivileged user namespaces on most systems.

The trouble with dropping groups

Posted Nov 21, 2014 0:48 UTC (Fri) by skissane (subscriber, #38675) [Link]

I would expect that setgroups() / getgroups() would still work, setgroups() would just zero the flags words. (Alternatively, if we call setgroups() with an already present group, it could leave the flags word for that group unchanged.) So yes, for this to be usable, privileged userspace code which calls setgroups() would need to be modified to call setgroups2(). Without that change, existing userspace code should still work, it just wouldn't be able to access the droppable groups feature. In order to use the droppable groups feature, you'd need to update user space code which calls setgroups() to call setgroups2() instead with the desired flags word (reading it from NSS groups database I presume). [Of course, setgroups2() should fail if an attempt is made to set a reserved bit to a non-zero value.]

The trouble with dropping groups

Posted Nov 20, 2014 6:31 UTC (Thu) by Comet (guest, #11646) [Link] (6 responses)

As another example of negative groups: a shared webhosting product at an ISP I used to work at was implemented in part using a uid per customer (namespaced per "instance" of the hosting platform, to scale across the customer base) with all users in one "customer" group. Then the default umask was 072, so that ls -l would show, for a typical file, "-rw----r-- custid42 customer".

Thus customer Foo can not see the files of customer Bar, but the webserver process, not in the "customer" group, can access all files.

The trouble with dropping groups

Posted Nov 20, 2014 11:13 UTC (Thu) by smurf (subscriber, #17840) [Link] (3 responses)

I would definitely use an ACL for this instead.

The trouble with dropping groups

Posted Nov 20, 2014 11:37 UTC (Thu) by knan (subscriber, #3940) [Link] (1 responses)

Yes, but a negative-access group is the traditional unix way. I've seen it too in hosting cases. Dropping this will certainly lead to compromises.

The trouble with dropping groups

Posted Nov 20, 2014 23:37 UTC (Thu) by gerdesj (subscriber, #5446) [Link]

It wouldn't even occur to me to attempt this. ACLs are surely the way to go for filesystems. Your posited "Unix way" reminds me of the Inherited Right Filter in NetWare filesystems - a shortcut to madness.

I note that Novell ended up putting in an override in the filesystem so that having certain eDirectory rights to the object corresponding to the root of a volume (they are pinned as objects in the directory) would override an IRF thus always ensuring someone could get to files to fix fuck ups. Bit like root really ...

I have always been able to design filesystem layouts for user data that only needed additive rights. It only needs some thought and let's face it, real ACLs have been around for a while. The old days of just rwxrwxrwx are long gone.

Cheers
Jon

The trouble with dropping groups

Posted Nov 20, 2014 23:54 UTC (Thu) by Comet (guest, #11646) [Link]

Predates any standardized ACL semantics, predates Linux support for ACLs, and was implemented on top of NFS.

The permissions-stripping group membership is very reliable in every Unix to date.

That doesn't mean it's not a little icky, or that we can't move forward with better ways today, but unless the better way also reliably supports both NFS (various protocol versions) and other operating systems (not everything is pure Linux) then demanding that everyone switch to doing things in a way which doesn't expose the Linux change as a security flaw is only going to create acrimony for the high-handedness.

The trouble with dropping groups

Posted Nov 20, 2014 15:23 UTC (Thu) by ebiederm (subscriber, #35028) [Link]

Thank you for that example. That is the clearest example I have seen about
negative group permissions. I especially like the fact that supplementary groups are not needed for it to work.

The trouble with dropping groups

Posted Apr 25, 2015 16:37 UTC (Sat) by mcortese (guest, #52099) [Link]

It looks to me a pretty poor security scheme. It implies every user is more trustworthy than those in the customer group, even nobody, irc, anonymous FTP, etc. It is as bad as setting up iptables to default to ACCEPT and then specifying all the conditions to DROP.

I think that, in most cases where a negative-access group seems advisable, equivalent solutions with positive-access group are also possible. In Ted's example, defining a "fair-gamer" group and giving it to all users is just a couple commands longer than using "game-abuser".

A somewhat related problem

Posted Nov 20, 2014 10:21 UTC (Thu) by giggls (subscriber, #48434) [Link]

There is another Problem with traditional group handling in Linux I came across recently.

It is the lack of a system call to change the primary gid of a process in a way the suid utility sg does.

I consider it somewhat broken, that sg has to be suid at all.

It is at least very inconvenient that it is impossible to do inside a binary without an ugly wrapper script or execing itself via sg.

Sven

The trouble with dropping groups

Posted Nov 20, 2014 11:17 UTC (Thu) by smurf (subscriber, #17840) [Link]

I'd solve that with two group lists. You use one for granting access and the other for denying it. The latter must of course be a superset of the former, which is the only one the process itself can modify.

The trouble with dropping groups

Posted Nov 20, 2014 19:35 UTC (Thu) by micka (subscriber, #38720) [Link]

> it may become impossible to drop group memberships from within a user namespace

Given an hypothetical userspace system that uses the ability to drop groups from within a user namespace (say, to drop priviliges), wouldn't that mean breaking userspace?

The trouble with dropping groups

Posted Nov 20, 2014 19:56 UTC (Thu) by rgb (guest, #57129) [Link]

May be silly, but another approach could be to -instead of actually dropping a group- flag the group as dropped within the process and from then on consider the group only for negative permission checks.

Further negative group examples pam_access, pam_limits

Posted Nov 20, 2014 21:37 UTC (Thu) by cdmiller (guest, #2813) [Link]

access.conf:
-:wheel:ALL EXCEPT LOCAL .win.tue.nl

limits.conf:
@faculty soft nproc 20

The trouble with dropping groups

Posted Nov 20, 2014 22:05 UTC (Thu) by jspaleta (subscriber, #50639) [Link] (2 responses)

So that namespacing wrinkle with groups...that impacts the security of unprivileged containers that some vendors are now advertising as a feature?

-jef

The trouble with dropping groups

Posted Nov 20, 2014 23:37 UTC (Thu) by spender (guest, #23067) [Link] (1 responses)

There have been at least a dozen vulnerabilities caused by the existence of unprivileged user namespaces by now, so if this is the first one to draw your attention, you're a bit late to the game ;) It's so obviously bad that it's become a running joke on my Twitter.

Just a small sampling of the vulns:
http://article.gmane.org/gmane.linux.network/283310
http://thread.gmane.org/gmane.linux.file-systems/89076
https://lkml.org/lkml/2013/3/14/579
http://git.kernel.org/cgit/linux/kernel/git/davem/net.git...
http://stealth.openwall.net/xSports/clown-newuser.c
http://comments.gmane.org/gmane.comp.security.oss.general...

If upstream had any security sense, they wouldn't have removed the privilege checks for creating user namespaces despite the code clearly not being ready for such a change. Grsecurity put the privilege checks back ever since they were removed and avoided this entire mess. I don't see how the creation of nearly arbitrarily-deep user namespaces by unprivileged users is of such importance in the present time to be putting systems at risk for what Ubuntu and others promote as a security feature.

-Brad

The trouble with dropping groups

Posted Nov 20, 2014 23:54 UTC (Thu) by jspaleta (subscriber, #50639) [Link]

I'm aware of other problems yes.
I just wanted to be clear on this to the list.

But yes I'm not up to speed on state of the art on containers as much as I would like to be, can't seem to scope playing with it as relevant to my current paying gig... unless you can point me to containers that work with qnx.

-jef

The trouble with dropping groups

Posted Nov 24, 2014 15:29 UTC (Mon) by ortalo (guest, #4654) [Link] (5 responses)

Whatever the debate, personnally I consider such setups (using groups to restrict rights) as counterintuitive, and thus most probably contrary to protection rather than beneficial.
(Note these rwx things are most commonly called "access rights", which means "permissions" for most of the world, not forbidden actions. I'd like to have interdictions in our security systems, but only if they are called interdictions and cannot be easily mistaken from permissions.)

The trouble with dropping groups

Posted Nov 25, 2014 12:45 UTC (Tue) by Jandar (subscriber, #85683) [Link] (4 responses)

It doesn't matter if it's counterintuitive to some, it is an old standard practise from times well before ACL (and Linux) existed. It's embarrassing I find it more natural than this newfangled ACL thing ;-).

The trouble with dropping groups

Posted Dec 6, 2014 0:46 UTC (Sat) by Wol (subscriber, #4433) [Link] (3 responses)

Well, if linux acls are anything like windows acls then I find them thoroughly confusing too. Especially adding user and group rights. And negative rights.

The system I am used to is simple.

If user acl then grant user rights else if group acl(s) then grant sum of group rights else grant default rights.

Okay, I then can't restrict a group of users, but it makes it dead easy for me to control what rights someone has over my project - if I give a user an explicit set of rights then their (possibly unknown to me) group rights are irrelevant.

The problem with adding user and group rights is it prevents an administrator delegating to a project manager the ability to manage his projects. Okay, the best way is proper group management but if the project manager doesn't know (and he may well not have access to) the list of groups his staff belong to, then my version gives him the ability to explicitly control access at the user level.

Cheers,
Wol

The trouble with dropping groups

Posted Dec 6, 2014 20:05 UTC (Sat) by bfields (subscriber, #19510) [Link] (2 responses)

If user acl then grant user rights else if group acl(s) then grant sum of group rights else grant default rights.

That's more or less what the "posix" acls supported by most linux filesystems do. (See the "ACCESS CHECK ALGORITHM" section in the acl(5) man page for details.) They don't have the explicit deny aces that windows acls do.

The trouble with dropping groups

Posted Dec 6, 2014 20:57 UTC (Sat) by Cyberax (✭ supporter ✭, #52523) [Link]

Not true. For POSIX ACLs only the most specific entry is evaluated:

> The ACL entries are looked at in the following order: owner, named users, (owning or named) groups, others. Only a single entry determines access. Step two checks if the matching entry contains sufficient permissions.
(c) http://users.suse.com/~agruen/acl/linux-acls/online/main....

This can be used (and often is!) for effectively negative ACLs.

The trouble with dropping groups

Posted Dec 6, 2014 22:44 UTC (Sat) by rleigh (guest, #14622) [Link]

I suppose this is one area where NFS4 ACLs are a much better solution than "POSIX" ACLs, since you can have an explicit deny in the ACEs. (I see your name on the nfs4_acl(5) manpage, so I assume you'll know the answer!)

At least when using ZFS/NFS4 with FreeBSD, it appears to have fully native support for NFS4 ACLs, while Linux doesn't appear to have support there at the moment (when testing using an NFS4 ZFS export). Are there any plans for support for NFS4 ACLs with Linux on native and remote filesystems?