-
Notifications
You must be signed in to change notification settings - Fork 4.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
FileStatus.Unix/Process.Unix: align caching of user identity. #60160
Conversation
Tagging subscribers to this area: @dotnet/area-system-io Issue DetailsThe effective user, and group of the process won't change. @dotnet/area-system-io ptal.
|
What if the process calls setuid, seteuid, or setegid? |
It is not supposed to be changed. In case someone changed it, we'd still be checking against the cached values. In cases where you want to do something as a different user, it's very recommended to start a new process. We already do this type of caching in Process.Unix: runtime/src/libraries/System.Diagnostics.Process/src/System/Diagnostics/Process.Unix.cs Lines 1066 to 1068 in de00deb
|
Do you mean a conforming libc implementation isn't supposed to change the values in response to these functions, or do you mean these functions aren't recommended for use but if someone uses them the values may be changed? For the former case, caching seems reasonable. |
Sorry for being unclear. The latter. You can call these functions to change the value. This means you have the capability to change user (e.g. you're It's best to call them from apps that are in tight control of their resources to limit security issues due to leaking resources of the privileged user. I'm not aware of apps that do this besides those specifically meant to change user (like That's why I seriously discourage doing this in a .NET app. We could, if it makes a difference, avoid caching for |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In cases where you want to do something as a different user, it's very recommended to start a new process.
Can you recommend a link I can read explaining this expectation for Unix permissions?
We could, if it makes a difference, avoid caching for root (egid = 0), since that is the most expected privileged user (which can use these calls).
Do you mean that if the initial process owner is root, we should always invoke Interop.Sys.GetEUid()
/Interop.Sys.GetEGid()
instead of returning the cached value, and if the value changes to a non-root user at some point, we then cache it, and start returning that? That would contradict the above statement, wouldn't it? That the recommendation is to start a new process if the user wants to switch to a different user.
src/libraries/System.Private.CoreLib/src/System/IO/FileStatus.Unix.cs
Outdated
Show resolved
Hide resolved
Is this PR being submitted in response to an existing issue? |
No, I wanted to apply the same pattern here that I knew exits in Process.Unix and thought it was going to be a simple change, but I did not anticipate @stephentoub's feedback. I think we want to do the same thing in both places. I'll take another shot next week. |
Sorry :-) |
src/libraries/System.Private.CoreLib/src/System/IO/FileStatus.Unix.cs
Outdated
Show resolved
Hide resolved
@carlossanlop @stephentoub @jkotas please take another look. I've aligned the caching between FileStatus and Process, so it is only used on Linux when the user cannot change its identity. |
I'm going to make another pass at this and remove the caching on Linux because it's adding some complexity, and the additional logic is circumventing the identity check in |
I've eliminated the user identity caching.
This is up for review. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM! It's great to see the identity caching being unified everywhere and the checks optimized for common cases.
src/libraries/Common/src/Interop/Unix/System.Native/Interop.IsMemberOfGroup.cs
Outdated
Show resolved
Hide resolved
src/libraries/System.Diagnostics.Process/src/System/Diagnostics/Process.Unix.cs
Outdated
Show resolved
Hide resolved
src/libraries/System.Diagnostics.Process/src/System/Diagnostics/Process.Unix.cs
Show resolved
Hide resolved
@tmds could you please solve the conflicts and answer #60160 (comment) ? |
Process: remove the user identity caching and extend the logic to avoid retrieving the identity in most cases by checking if all x-bits are set or not set. FileStatus: use same group check as Process. FileStatus: cache the read only flag instead of caching the identity.
The effective user, and group of the process won't change.
@dotnet/area-system-io ptal.