I've posted this in March but received no response. Reposting. This patch introduces SECURE_KEEP_FSUID to allow fsuid/fsgid to be preserved across execve. It is currently impossible to execve a program such that effective and filesystem uid differ.
The need for this functionality arose from a desire to allow certain non-privileged users to run perf. To do this, we install perf without set-uid-root and have a set-uid-root wrapper decide who is allowed to run perf (and with what arguments). The wrapper must execve perf with real and effective root uid, because perf and KASLR require this. However, that presently resets fsuid to root, giving the user ability to read and overwrite any file owned by root (perf report -i, perf record -o). Also, perf record will create perf.data that cannot be deleted by the user. We cannot reset /proc/sys/kernel/perf_event_paranoid to a permissive level, since we must be selective which users have the permissions. Of course, we could fix our problem by a patch to perf to allow passing a username on the command line and having perf execute setfsuid before opening files. However, perf is not the only program that uses kernel features that require root uid/euid, so a general solution that does not involve updating all such programs seems warranted. I will update man pages, if this patch is deemed a good idea. Igor Lubashev (1): security: add SECURE_KEEP_FSUID to preserve fsuid/fsgid across execve include/uapi/linux/securebits.h | 10 +++++++++- security/commoncap.c | 9 +++++++-- 2 files changed, 16 insertions(+), 3 deletions(-) -- 2.7.4