From Fedora Project Wiki
Line 65: Line 65:
This would require getting a new user-space interface into the kernel, with corresponding changes to the insides of glibc.  The precise mechanism has not been decided yet - presumably whatever is acceptable to the upstream kernel/glibc maintainers.
This would require getting a new user-space interface into the kernel, with corresponding changes to the insides of glibc.  The precise mechanism has not been decided yet - presumably whatever is acceptable to the upstream kernel/glibc maintainers.


We could also perhaps patch "strace" so that it shows richer information:
We could also perhaps patch "strace" so that it shows richer information than just:
<pre>
<pre>
open("/etc/shadow", O_RDONLY)          = -1 EACCES (Permission denied)
open("/etc/shadow", O_RDONLY)          = -1 EACCES (Permission denied)
Line 71: Line 71:


=== libexplain ===
=== libexplain ===
Possible implementation approach: see [http://libexplain.sourceforge.net/ libexplain].  It's in Fedora
Possible implementation approach: see [http://libexplain.sourceforge.net/ libexplain].  It's in Fedora.  From my (brief) reading of things, this is a user-space API for generating a user-friendly error message, given a syscall, its args, and the errno.  It appears to work using lots of heuristics and presumably extra syscalls to ascertain why a failure happened (thus presumably it can give the wrong answer if things have changed since the failed call):


Examples of output from libexplain (taken from upstream website and its author's LCA 2010 talk):
Examples of output from libexplain (taken from upstream website and its author's LCA 2010 talk):
Line 91: Line 91:
Read-only file system (30, EROFS)
Read-only file system (30, EROFS)
because the floppy disk has the write protect tab set
because the floppy disk has the write protect tab set
</pre>
Here's what libexplain can generate for an EPERM:
<pre>
unlink(pathname = "/tmp/no-no-no") failed, Operation not permitted (1, EPERM)
because the pathname directory "/tmp" has the sticky bit (S_ISVTX) set and the
process's effective UID (200 "pmiller") is neither the UID of the file to be deleted
(201 "archives") nor that of the directory (0 "root"), and the process is not
privileged (does not have the DAC_FOWNER capability)
</pre>
</pre>



Revision as of 19:19, 21 January 2013

Comments and Explanations
The page source contains comments providing guidance to fill out each section. They are invisible when viewing this page. To read it, choose the "edit" link.
Copy the source to a new page before making changes! DO NOT EDIT THIS TEMPLATE FOR YOUR FEATURE.
Set a Page Watch
Make sure you click watch on your new page so that you are notified of changes to it by others, including the Feature Wrangler
All sections of this template are required for review by FESCo. If any sections are empty it will not be reviewed



Friendly EPERM

Summary

Coordinated patches to kernel and glibc so that (optionally) strerror(EPERM) and strerror(EACCES) give useful information on why permission was denied

Owner

Current status

  • Targeted release: [[Releases/<number> | Fedora <number> ]]
  • Last updated: (DATE)
  • Percentage of completion: XX%


Detailed Description

Traditionally, if a process attempts a forbidded operation, errno for that thread is set to EACCES or EPERM, and a call to strerror() returns a localized version of "Permission Denied" or "Operation not permitted". This string appears throughout textual UIs and syslog messages. For example, it will show up in command-line tools, in exceptions within scripting languages, etc.

There are an increasing number of ways in which you can fail to have permission to do something:

  • classic POSIX discretionary access controls
  • Linux security modules (e.g. SELinux mandatory access controls)
  • capabilities
  • seccomp
  • etc (TODO: expand this list)

As we continue to add mechanisms for the Kernel to deny permissions, the Administrator/User is faced with just a message that says "Permission Denied" Then if the administrator is lucky enough or skilled enough to know where to look, he might be able to understand why the process was denied access.

Under normal deployment situations we don't want to leak information to an attacker as to why permission was denied, but under development situations it's useful to know why a failure happens.

We propose to:

  • patch the kernel so that it can optionally provide user-space with a "failure cookie" giving additional information beyond the bare ERRNO (handled at the per-thread level, like strerror, iirc)
  • patch glibc's implementation of strerror (and related calls) so that it can use this "failure cookie" to provide a localized extension to the "Operation not permitted" giving additional details.

The failure cookie would only be exposed to user space for processes with a particular bit set (using prctl), so that you have to opt-in to having this information exposed.


Examples

  • cat: /etc/shadow: Permission denied (POSIX: user "david" not owner "root" or in group "root" and file does not have readable-by-all bit)
  • [error] [client ::1] Permission denied (SELinux: context "unconfined_u:system_r:httpd_t:s0" does not have permission to read "system_u:object_r:shadow_t:s0")
  • mount: Permission Denied (Capabilities: user "david" does not have CAP_SYS_ADMIN)

Benefit to Fedora

This feature should significantly simplify debugging permissions issues in Fedora. For example, rather than seeing "Operation not permitted" error and e.g. blindly trying to disable SELinux, a user can see directly whether or not SELinux was involved.

Scope

This would require getting a new user-space interface into the kernel, with corresponding changes to the insides of glibc. The precise mechanism has not been decided yet - presumably whatever is acceptable to the upstream kernel/glibc maintainers.

We could also perhaps patch "strace" so that it shows richer information than just:

open("/etc/shadow", O_RDONLY)           = -1 EACCES (Permission denied)

libexplain

Possible implementation approach: see libexplain. It's in Fedora. From my (brief) reading of things, this is a user-space API for generating a user-friendly error message, given a syscall, its args, and the errno. It appears to work using lots of heuristics and presumably extra syscalls to ascertain why a failure happened (thus presumably it can give the wrong answer if things have changed since the failed call):

Examples of output from libexplain (taken from upstream website and its author's LCA 2010 talk):

open(pathname = "no-such-dir/some-file", flags = O_RDONLY) failed,
No such file or directory (2, ENOENT)
because there is no "no-such-dir" directory in the current directory
fopen(pathname = "/media/disk/booboo", flags = "w") failed,
Read-only file system (30, EROFS)
because write access was requested and pathname refers to a file on a read-only
file system ("/media/disk", 42% full)
open(pathname = "/dev/fd0", O_RDWR, 0666) failed,
Read-only file system (30, EROFS)
because the floppy disk has the write protect tab set

Here's what libexplain can generate for an EPERM:

unlink(pathname = "/tmp/no-no-no") failed, Operation not permitted (1, EPERM)
because the pathname directory "/tmp" has the sticky bit (S_ISVTX) set and the
process's effective UID (200 "pmiller") is neither the UID of the file to be deleted
(201 "archives") nor that of the directory (0 "root"), and the process is not
privileged (does not have the DAC_FOWNER capability)

and quoting that page: "Coverage includes 185 system calls and 547 ioctl requests."

How To Test

TODO

User Experience

Dependencies

Contingency Plan

Documentation

Release Notes

Comments and Discussion